[Fedora-directory-users] Re: Subtree/user pw policy on 1.0.2?
by Philip Kime
> I didn't mean to imply that it's intentional or that it should be this
> way, just giving you a hand with the analysis. I have some changes
> around this area of password policy that aren't committed and might
> complicate a potential fix, I've filed a bug for you to keep track:
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=216522
Ah, I see, thank you. You can see in the logs that an extop password
change doesn't see non-global policies as you just see a high-level
message that an extop operation was performed and that's all.
17 years, 5 months
[Fedora-directory-users] SASL/Kerberos5 question
by Michał Droździewicz
Hello,
I'm fairly new to the FDS (one week maybe). Earlier I've been using
OpenLDAP and now I want to migrate from OL to FDS. Everything looks
great (schema conversion and ldif transfer) but I have one problem. Old
setup was constructed more or less that the passwords weren't stored in
LDAP but in Kerberos and in 'userPassword' field in clear text was
'uid(a)REALM.INT'
Now when using FDS I can't find any configuration option, that would
make it possible to use Kerberos for storing passwords and still to use
FDS to authenticate user. Maybe SASL Mappings are for that and you only
have to configure them right. Is there anyone who knows how to do it?
Thanks in advance.
--
email/xmpp: koniczynek(a)uaznia.net
17 years, 5 months
[Fedora-directory-users] ./slapd-start segmentation fault
by Eric Beda
Hi,
i'm quite new to fedora ds,, recently i have been trying fedora ds with
the Jamm schema, it worked fine for like half an hour then whenever i try
to start fedora ds i get a segmentation fault error as follows
slapd-servername/./start-slapd: line 33: 2526 Segmentation fault
./ns-slapd -D /opt/fedora-ds/slapd-servername -i
/opt/fedora-ds/slapd-servername/logs/pid -w $STARTPIDFILE "$@"
i was wondering if anybody knows whats going on
17 years, 5 months
[Fedora-directory-users] Re: Subtree/user pw policy on 1.0.2?
by Philip Kime
> Effective policy is determined by new_passwdPolicy() which considers
the modification
> initiated by the password change extop to be internal and local policy
is not
> retrieved.
I suspected as much - this should probably go in the password policy
section of the documentation as there are all sorts of recommendations
flying round the Web for setting pam_password to "exop" to allow
password changes to work properly. It does indeed work but as you say,
it bypasses all password policies (except global ones it seems).
PK
17 years, 5 months
[Fedora-directory-users] How to disable subtree level search?
by A G
Hello;
I have a question on LDAP search issue.
I want to disable full search on the LDAP tree.
Eg:
My LDAP Tree is:
c=US, o=Dept1, cn=John Smith
c=US, o=Dept1, cn=Ann Adams
I want to deny to read full listing of the tree but only allow when the
search condition meets only the required person.
In the example above I want nobody to be listed. But when the search
criteria is "c=US, o=Dept1, cn=Ann Adams" this entry must be listed. When a
search on "c=US" comes, nothing must be listed.
What is the correct Access Control Information for this request??
Thanks.
17 years, 5 months
[Fedora-directory-users] Windows Sync and pasword policies
by Philip Kime
I just wanted to clarify this -
* If you use Windows passync, you have to enable the password complexity
policy on Windows
* This policy isn't customisable on Windows without writing a custom
passfilt.dll
* So to avoid password policy conflicts, you have to implement password
policies on FDS too and it really needs to be same as the Windows
default password policy.
Correct?
--
Philip Kime
NOPS Systems Architect
310 401 0407
17 years, 5 months
[Fedora-directory-users] Re: Subtree/user pw policy on 1.0.2?
by Philip Kime
> At this point probably single stepping through the code in the
debugger
> is the best/quickest route to figure out what's wrong. UTSL and all
that...
I feared you might say that ... but, for amusement, I tried changing
passwords using ldapmodify and strangely, the subtree pwd policy *is*
enforced but if I do exactly the same pwd mod with ldappasswd, it isn't
enforced. Given that the pw policy is all done on the server side, any
ideas how on earth I could be seeing this?
PK
17 years, 5 months
[Fedora-directory-users] Help with integrating POSTFIX, SAMBA and FEDORA DS
by Eric Beda
Hi
i'm very new to fedora ds and ldap in general, i just downloaded ldap a
couple of weeks ago and i have been playing around with it for some time,
i'm trying create an directory server and have postfix and samba users
authenticate against it, i've been through tutorials on the net expecially
fedora ds wiki, but every howto looks at it from a migraton scenario
whereas i'm trying to build this from scratch
anyway tried going through the tutorials but i get stuck when i try to add
a user with ldapmodify -a i get an error uknown object class
courierMailAlias tried searching for the objectclass on the net but to no
avail... can anybody please shed some light
thanks
17 years, 5 months
[Fedora-directory-users] Re: password policy on FDS 1.0.2 - doesn't seem to work?
by Philip Kime
I think have have an idea about this now ... the problem seems to be the
exop password modify request. Subtree and user policies are ignored from
ldappasswd (which uses exop)
PAM (when pam_password is set to "exop" in /etc/ldap.conf)
But are ok from
Ldapmodify
PAM (when pam_password is set to "clear" in /etc/ldap.conf)
So, the RFC 3062 password modification requests seem to bypass the
subtree and user policies. I see this behaviour in 1.0.2 and 1.0.4.
Now, am I right in thinking that I can use "clear" as long as I'm using
SSL to the LDAP server? What about setting local non-LDAP passwords with
this set to "clear" isn't that dangerous? I can't use "ssha" for
pam_password as then password changes don't seem to work at all, which
is why I changed to "exop".
PK
17 years, 5 months