8:03 a.m.
Hello,
I've finally got the SSL working. Thanks for all the help.
When I try to login with an imported account from OpenLDAP I get the message
that my account is expired and that I need to change my LDAP password
immediately.
When trying this I get an error
# ssh jdtroy@ldapserver
jdtroy@ldapserver's password:
You are required to change your password immediately (password aged)
You are required to change your LDAP password immediately.
Last login: Fri Jan 13 14:38:12 2006 from ldapserver
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user jdtroy.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
LDAP password information update failed: Can't contact LDAP server
Current passwd must be supplied by the user.
passwd: Permission denied
Connection to ldapserver closed.
In /var/log/messages I get pam_ldap: ldap_extended_operation_s Unknow error
Any idea on what I'm doing wrong?
In /etc/ldap.conf I do have
pam_lookup_policy yes
pam_password exop
pam_password md5
ssl on
ssl start_tls
tls_cacertfile /path/to/cacertfile
Thanks in advance,
Jo
1:39 p.m.
New subject: [Fedora-directory-users] is the howto:Posix wiki correct?
For host-based access control, the new method says to do the following:
New Method
There is already an AUXILIARY objectclass provided with the pam/nss ldap distribution on
Linux
systems: hostObject. On a RHEL4 system, this is in the schema file
/usr/share/doc/nss_ldap-226/ldapns.schema in OpenLDAP format. You can convert to Fedora DS
schema
format using Howto:OpenLDAPMigration like so:
perl ol-schema-migrate.pl /usr/share/doc/nss_ldap-226/ldapns.schema >
/opt/fedora-ds/slapd-localhost/config/schema/61ldapns.ldif
However, I was able to get that working without the schema conversion, by adding
'account'
objectClass and then the host attribute. It works fine and is much simpler, really...
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
2:42 p.m.
New subject: [Fedora-directory-users] is the howto:Posix wiki correct?
Susan wrote:
For host-based access control, the new method says to do the
following:
New Method
There is already an AUXILIARY objectclass provided with the pam/nss ldap distribution on
Linux
systems: hostObject. On a RHEL4 system, this is in the schema file
/usr/share/doc/nss_ldap-226/ldapns.schema in OpenLDAP format. You can convert to Fedora DS
schema
format using Howto:OpenLDAPMigration like so:
perl ol-schema-migrate.pl /usr/share/doc/nss_ldap-226/ldapns.schema >
/opt/fedora-ds/slapd-localhost/config/schema/61ldapns.ldif
However, I was able to get that working without the schema conversion, by adding
'account'
objectClass and then the host attribute. It works fine and is much simpler, really...
Yes, but it is not LDAP standard and not portable. account is a
structural objectclass - that means you are not supposed to add it to an
entry that already has a structural objectclass. See the NOTE under Old
Method - http://directory.fedora.redhat.com/wiki/Howto:Posix
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
9:58 a.m.
New subject: [Fedora-directory-users] is the howto:Posix wiki correct?
--- Richard Megginson <rmeggins(a)redhat.com> wrote:
Yes, but it is not LDAP standard and not portable. account is a
structural objectclass - that means you are not supposed to add it to an
entry that already has a structural objectclass. See the NOTE under Old
Method - http://directory.fedora.redhat.com/wiki/Howto:Posix
the problem is that you cannot add the host attribute (or the hostObject objectclass) from
the gui
UNTIL you add the account objectClass. Neither one is on the list, even with the newly
created
61ldapns schema imported. There must a bug in the UI or something...
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
10:50 a.m.
New subject: [Fedora-directory-users] is the howto:Posix wiki correct?
Susan wrote:
--- Richard Megginson <rmeggins(a)redhat.com> wrote:
>Yes, but it is not LDAP standard and not portable. account is a
>structural objectclass - that means you are not supposed to add it to an
>entry that already has a structural objectclass. See the NOTE under Old
>Method - http://directory.fedora.redhat.com/wiki/Howto:Posix
>
>
the problem is that you cannot add the host attribute (or the hostObject objectclass) from
the gui
UNTIL you add the account objectClass. Neither one is on the list, even with the newly
created
61ldapns schema imported. There must a bug in the UI or something...
You have to restart the server to read in the new schema file, then you
have to restart the console in order for it to pick up the new schema
from the server. If you've done that, and still no luck, then this is a
console bug.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
--
Fedora-directory-users mailing list
Fedora-directory-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
12:12 p.m.
New subject: [Fedora-directory-users] is the howto:Posix wiki correct?
--- Richard Megginson <rmeggins(a)redhat.com> wrote:
You have to restart the server to read in the new schema file, then
you
have to restart the console in order for it to pick up the new schema
from the server. If you've done that, and still no luck, then this is a
console bug.
restarting the console made the hostObject objectclass available but still no
'host' attribute.
Must be a bug then...
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
6670
days inactive
6671
days old
389-users@lists.fedoraproject.org
5 comments
3 participants
participants (3)
-
Jo De Troy -
Rich Megginson -
Susan