[389-users] Help with setiting up Password Policy and SSL/TLS

Rich Megginson rmeggins at redhat.com
Thu Jan 14 19:39:01 UTC 2010 

Fulda, Paul R (IS) wrote:
>
> Do not remember where I read that the SSL/TLS is required. But if that 
> is the case, I cannot get the Password Policy to work. For instance, 
> prior to messing around with SSL, I set in the Password Policy to 
> require the user to choose a new password after reset. I reset the 
> users password in the Directory Server and when the user typed that 
> password in on a client machine it did not prompt him to change his 
> password. Also, none of the password complexity settings worked 
> either. Could it be that PAM is overriding the Directory Server and if 
> it is how do I bypass PAM?
>
man pam_ldap
>
> *From:* 389-users-bounces at lists.fedoraproject.org 
> [mailto:389-users-bounces at lists.fedoraproject.org] *On Behalf Of 
> *Nathan Kinder
> *Sent:* Thursday, January 14, 2010 1:14 PM
> *To:* General discussion list for the 389 Directory server project.
> *Subject:* Re: [389-users] Help with setiting up Password Policy and 
> SSL/TLS
>
> On 01/14/2010 10:56 AM, Fulda, Paul R (IS) wrote:
>
> Hi,
>
> I am trying to configure the Password Policy for my users and read 
> that you would not be able to use the Policy unless you set up SSL/TLS.
>
> Where did you read this? SSL/TLS is not required to use the password 
> policy features.
>
> I am using 389 Server version 1.2.2. Also I am running the Server on 
> Fedora 11 64 bit. All clients are also Fedora 11 64 bit.
>
> I followed the instructions in setting up SSL here at 
> http://directory.fedoraproject.org/wiki/Howto:SSL
>
> I ran the setupssl2.sh script and it completed with no errors. In the 
> 389 Admin Console I could see the certificates for both the Admin 
> Server and DS Server in the
>
> Manage Certificates screens.
>
> Also, I do not want to use SSL for the Admin Server or the Admin 
> Console. I just want to be able to use it for user authentication so 
> the Password Policy works.
>
> Bottom line is that I cannot get both features (Password Policies and 
> SSL) working. Any help would be greatly appreciated.
>
> Up to this point here are my questions:
>
> 1) In the Directory Server GUI from the 389 Admin Console what 
> certificate do I use to populate the Certificate field in the 
> Encryption Tab?
>
> There are 3 choices it provides after running the sslsetup2.sh script 
> which are CA Certificate, server-cert, and server-Cert.
>
> The one named "Server-Cert" should be used for the Directory Server.
>
> 2) In the Client Authentication Block in the same Encryption Tab as #1 
> above, I have selected “Require client authentication”. Is this correct?
>
> Is this how you force the Directory Server to use only port 636 for 
> secure communications? If not, how do you do that?
>
> No. Client authentication refers to using a client certificate to 
> authenticate as opposed to a bind DN and password. You most likely 
> don't want to do this. If you truly want to only use port 636, you can 
> set nsslapd-listenport to "0", but all of your clients will be 
> required to use LDAPS over port 636. You should be really sure that 
> this is what you want.
>
> 3) What are the differences between /etc/openldap/ldap.conf and 
> /etc/ldap.conf? What are the client configurations needed to make this 
> work?
>
> /etc/openldap/ldap.conf is the OpenLDAP client config file. 
> /etc/ldap.conf is the config file for nss_ldap and pam_ldap.
>
> The only ldap.conf file that 
> http://directory.fedoraproject.org/wiki/Howto:SSL talks about 
> configuring is the /etc/openldap/ldap.conf file.
>
> My /etc/openldap/ldap.conf file looks like this:
>
> URI ldap://hadmina.eidev.ngc.com/
>
> BASE dc=eidev, dc=ngc, dc=com
>
> TLS_CACERT /etc/openldap/cacerts
>
> TLS_REQCERT allow
>
> 4) How do you get the certificate on the client machines? What I did 
> was copy from the server the cacert.asc file that is located in 
> /etc/dirsrv/slapd-hadmina
>
> to the client machine in /etc/openldap/cacerts directory. Is this correct?
>
> Thanks and I hope there is someone out there that can help me get this 
> working!
>
> Paul
>
>  
>  
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org <mailto:389-users at lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

More information about the 389-users mailing list