Hello,
Linux authentication based in FDS work fine, i log in the system for ssh and all users is in the FDS directory. cool !!!
but, i need use police security account for users (for example, in 60 days this users need change the password or can't use the same password 3 times consecutive).
but the FDS dont work with shadow parameters, i run "getent passwd" and look all users (local and in FDS) but I run "getent shadow" and only show the local account, none account in the FDS.
how is possible manage the security police from posixaccount and more important, that for users continue being one transparent process.
URL ?? manual ?? docs ?? others ??
thanks
On Tue, 2007-09-25 at 09:55 -0400, Victor Hugo dos Santos wrote:
Hello,
Linux authentication based in FDS work fine, i log in the system for ssh and all users is in the FDS directory. cool !!!
but, i need use police security account for users (for example, in 60 days this users need change the password or can't use the same password 3 times consecutive).
but the FDS dont work with shadow parameters, i run "getent passwd" and look all users (local and in FDS) but I run "getent shadow" and only show the local account, none account in the FDS.
how is possible manage the security police from posixaccount and more important, that for users continue being one transparent process.
URL ?? manual ?? docs ?? others ??
thanks
--
Your accounts need to have the "shadowAccount" objectclass and "shadowLastChange" needs to be writable by ldap://self or by the dn that changes their password on their behalf (if you use "rootbinddn" in your pam ldap.conf).
-Steve
2007/9/25, Steve Rigler srigler@marathonoil.com:
On Tue, 2007-09-25 at 09:55 -0400, Victor Hugo dos Santos wrote:
[...]
Your accounts need to have the "shadowAccount" objectclass and "shadowLastChange" needs to be writable by ldap://self or by the dn that changes their password on their behalf (if you use "rootbinddn" in your pam ldap.conf).
mmm... in test don't work..
debian2:/etc/ssl/certs# getent shadow | grep camador camador:*:13524::99999:7:::0
debian2:/etc/ssl/certs# passwd camador Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information changed for camador passwd: password updated successfully
debian2:/etc/ssl/certs# getent shadow | grep camador camador:*:13524::99999:7:::0
how you can look.. the shadow info is the same, before y after the change of password.
any other idea ??
thanks
On Tue, 2007-09-25 at 12:08 -0400, Victor Hugo dos Santos wrote:
2007/9/25, Steve Rigler srigler@marathonoil.com:
On Tue, 2007-09-25 at 09:55 -0400, Victor Hugo dos Santos wrote:
[...]
Your accounts need to have the "shadowAccount" objectclass and "shadowLastChange" needs to be writable by ldap://self or by the dn that changes their password on their behalf (if you use "rootbinddn" in your pam ldap.conf).
mmm... in test don't work..
debian2:/etc/ssl/certs# getent shadow | grep camador camador:*:13524::99999:7:::0
debian2:/etc/ssl/certs# passwd camador Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information changed for camador passwd: password updated successfully
debian2:/etc/ssl/certs# getent shadow | grep camador camador:*:13524::99999:7:::0
how you can look.. the shadow info is the same, before y after the change of password.
any other idea ??
thanks
Did you add an aci to allow write access to "shadowLastChange"?
-Steve
2007/9/25, Steve Rigler srigler@marathonoil.com:
On Tue, 2007-09-25 at 12:08 -0400, Victor Hugo dos Santos wrote:
2007/9/25, Steve Rigler srigler@marathonoil.com:
On Tue, 2007-09-25 at 09:55 -0400, Victor Hugo dos Santos wrote:
[...]
Your accounts need to have the "shadowAccount" objectclass and "shadowLastChange" needs to be writable by ldap://self or by the dn that changes their password on their behalf (if you use "rootbinddn" in your pam ldap.conf).
mmm... in test don't work..
debian2:/etc/ssl/certs# getent shadow | grep camador camador:*:13524::99999:7:::0
debian2:/etc/ssl/certs# passwd camador Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information changed for camador passwd: password updated successfully
debian2:/etc/ssl/certs# getent shadow | grep camador camador:*:13524::99999:7:::0
how you can look.. the shadow info is the same, before y after the change of password.
any other idea ??
thanks
Did you add an aci to allow write access to "shadowLastChange"?
ups... sorry. now work fine !!!
any other recommendation for work with posixaccount and FDS and security ??
very, very thanks
389-users@lists.fedoraproject.org