[389-users] Help with setiting up Password Policy and SSL/TLS
Rich Megginson
rmeggins at redhat.com
Thu Jan 14 19:39:01 UTC 2010
Fulda, Paul R (IS) wrote:
>
> Do not remember where I read that the SSL/TLS is required. But if that
> is the case, I cannot get the Password Policy to work. For instance,
> prior to messing around with SSL, I set in the Password Policy to
> require the user to choose a new password after reset. I reset the
> users password in the Directory Server and when the user typed that
> password in on a client machine it did not prompt him to change his
> password. Also, none of the password complexity settings worked
> either. Could it be that PAM is overriding the Directory Server and if
> it is how do I bypass PAM?
>
man pam_ldap
>
> *From:* 389-users-bounces at lists.fedoraproject.org
> [mailto:389-users-bounces at lists.fedoraproject.org] *On Behalf Of
> *Nathan Kinder
> *Sent:* Thursday, January 14, 2010 1:14 PM
> *To:* General discussion list for the 389 Directory server project.
> *Subject:* Re: [389-users] Help with setiting up Password Policy and
> SSL/TLS
>
> On 01/14/2010 10:56 AM, Fulda, Paul R (IS) wrote:
>
> Hi,
>
> I am trying to configure the Password Policy for my users and read
> that you would not be able to use the Policy unless you set up SSL/TLS.
>
> Where did you read this? SSL/TLS is not required to use the password
> policy features.
>
> I am using 389 Server version 1.2.2. Also I am running the Server on
> Fedora 11 64 bit. All clients are also Fedora 11 64 bit.
>
> I followed the instructions in setting up SSL here at
> http://directory.fedoraproject.org/wiki/Howto:SSL
>
> I ran the setupssl2.sh script and it completed with no errors. In the
> 389 Admin Console I could see the certificates for both the Admin
> Server and DS Server in the
>
> Manage Certificates screens.
>
> Also, I do not want to use SSL for the Admin Server or the Admin
> Console. I just want to be able to use it for user authentication so
> the Password Policy works.
>
> Bottom line is that I cannot get both features (Password Policies and
> SSL) working. Any help would be greatly appreciated.
>
> Up to this point here are my questions:
>
> 1) In the Directory Server GUI from the 389 Admin Console what
> certificate do I use to populate the Certificate field in the
> Encryption Tab?
>
> There are 3 choices it provides after running the sslsetup2.sh script
> which are CA Certificate, server-cert, and server-Cert.
>
> The one named "Server-Cert" should be used for the Directory Server.
>
> 2) In the Client Authentication Block in the same Encryption Tab as #1
> above, I have selected “Require client authentication”. Is this correct?
>
> Is this how you force the Directory Server to use only port 636 for
> secure communications? If not, how do you do that?
>
> No. Client authentication refers to using a client certificate to
> authenticate as opposed to a bind DN and password. You most likely
> don't want to do this. If you truly want to only use port 636, you can
> set nsslapd-listenport to "0", but all of your clients will be
> required to use LDAPS over port 636. You should be really sure that
> this is what you want.
>
> 3) What are the differences between /etc/openldap/ldap.conf and
> /etc/ldap.conf? What are the client configurations needed to make this
> work?
>
> /etc/openldap/ldap.conf is the OpenLDAP client config file.
> /etc/ldap.conf is the config file for nss_ldap and pam_ldap.
>
> The only ldap.conf file that
> http://directory.fedoraproject.org/wiki/Howto:SSL talks about
> configuring is the /etc/openldap/ldap.conf file.
>
> My /etc/openldap/ldap.conf file looks like this:
>
> URI ldap://hadmina.eidev.ngc.com/
>
> BASE dc=eidev, dc=ngc, dc=com
>
> TLS_CACERT /etc/openldap/cacerts
>
> TLS_REQCERT allow
>
> 4) How do you get the certificate on the client machines? What I did
> was copy from the server the cacert.asc file that is located in
> /etc/dirsrv/slapd-hadmina
>
> to the client machine in /etc/openldap/cacerts directory. Is this correct?
>
> Thanks and I hope there is someone out there that can help me get this
> working!
>
> Paul
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org <mailto:389-users at lists.fedoraproject.org>
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> ------------------------------------------------------------------------
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
More information about the 389-users
mailing list