[389-users] 389-users Digest, Vol 90, Issue 3

albert.solaris albert.solaris at gmail.com
Thu Nov 8 17:52:00 UTC 2012 

On 11/06/2012 07:00 AM, 389-users-request at lists.fedoraproject.org wrote:
> Send 389-users mailing list submissions to
> 	389-users at lists.fedoraproject.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://admin.fedoraproject.org/mailman/listinfo/389-users
> or, via email, send a message with subject or body 'help' to
> 	389-users-request at lists.fedoraproject.org
>
> You can reach the person managing the list at
> 	389-users-owner at lists.fedoraproject.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of 389-users digest..."
>
>
> Today's Topics:
>
>     1. Re: 389-users Digest, Vol 90, Issue 2 (albert.solaris)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 05 Nov 2012 12:05:13 -0500
> From: "albert.solaris" <albert.solaris at gmail.com>
> To: 389-users at lists.fedoraproject.org
> Subject: Re: [389-users] 389-users Digest, Vol 90, Issue 2
> Message-ID: <5097F1C9.4070009 at gmail.com>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> On 11/02/2012 08:00 AM, 389-users-request at lists.fedoraproject.org wrote:
>> Send 389-users mailing list submissions to
>> 	389-users at lists.fedoraproject.org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> 	https://admin.fedoraproject.org/mailman/listinfo/389-users
>> or, via email, send a message with subject or body 'help' to
>> 	389-users-request at lists.fedoraproject.org
>>
>> You can reach the person managing the list at
>> 	389-users-owner at lists.fedoraproject.org
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of 389-users digest..."
>>
>>
>> Today's Topics:
>>
>>      1. LDAP authentication related - CANNOT change password by
>>         running passwd on clients (albert.solaris)
>>      2. Re: LDAP authentication related - CANNOT change password by
>>         running passwd on clients (Dan Lavu)
>>      3. Re: LDAP authentication related - CANNOT change password by
>>         running passwd on clients (Grzegorz Dwornicki)
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Thu, 01 Nov 2012 16:02:39 -0400
>> From: "albert.solaris" <albert.solaris at gmail.com>
>> To: 389 Mail list <389-users at lists.fedoraproject.org>
>> Subject: [389-users] LDAP authentication related - CANNOT change
>> 	password by running passwd on clients
>> Message-ID: <5092D55F.8020001 at gmail.com>
>> Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
>>
>> I am stuck in the 389 DS implementation, hope someone could help me out.
>>
>> My situation is that I am trying to establish a cute enterprise
>> environment with VMWorkstation and CentOS.  All guest OSs are CentOS6.3
>> based.  So far I have got DNS, DHCP, Gateway, File server worked
>> perfectly;  However, the 389 LDAP server here, Hmm... I would say it is
>> partially working.  And this is also where you come in.
>>
>> What does it mean by 'partially working' exactly?  Let me tell you.
>>
>> What happened here is that I've installed and configured 389 DS without
>> SSL/TLS enable, migrated local users on my file server to the LDAP
>> already.  Now, from my DHCP clients, also LDAP clients, I can retrieve
>> information within the LDAP server by running ldapsearch, I can even
>> change to regular users (i.e. user1/user2/.../user10 created on the file
>> server) with Autofs home directory mounted automatically.  Somehow, I
>> cannot change password by running passwd command.
>>
>> Here is what I got when changing.
>> [root at dhcpclient sssd]# /su - user1/
>> [user1 at dhcpclient ~]$
>> [user1 at dhcpclient ~]$ /passwd/
>> Changing password for user user1.
>> Current Password:
>> passwd: Authentication token manipulation error
>> [user1 at dhcpclient ~]$
>>
>> I am new to Linux, so have no idea about the reason behind that.  Is it
>> a LDAP acl issue, or sssd configuration issue, or security pam issue, or
>> whatever else.
>>
>> If you could help me out, that would be great.  Please let me know if
>> you want any configuration files from me.  I don't want to attach
>> everything here to scare you.
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20121101/deaf8013/attachment-0001.html>
>>
>> ------------------------------
>>
>> Message: 2
>> Date: Thu, 1 Nov 2012 16:19:30 -0400
>> From: Dan Lavu <dan at lavu.net>
>> To: "General discussion list for the 389 Directory server project."
>> 	<389-users at lists.fedoraproject.org>
>> Subject: Re: [389-users] LDAP authentication related - CANNOT change
>> 	password by running passwd on clients
>> Message-ID: <ecc11d69cbd3ae780f9063778decdcc4 at mail.gmail.com>
>> Content-Type: text/plain; charset="windows-1252"
>>
>> First I would check the ACI (Access Control Instruction), you will see in
>> IDM, which level in the Tree (ACI), right click, and goto ACI (You can view
>> all the inherited instructions) and make sure the users who login have the
>> permission to selfwrite.
>>
>>
>>
>> The next part, by default this works, but I believe it depends on which
>> encryption and mapping you’re using for your password hash, so you have to
>> goto into the 389 config, check the hashing algorithm and check your
>> ldap.conf (or are you using sssd?) and make sure the password mapping
>> attribute is correct.
>>
>>
>>
>> Hope this helps.
>>
>>
>>
>> Dan
>>
>>
>>
>> *From:* 389-users-bounces at lists.fedoraproject.org [mailto:
>> 389-users-bounces at lists.fedoraproject.org] *On Behalf Of *albert.solaris
>> *Sent:* Thursday, November 01, 2012 4:03 PM
>> *To:* 389 Mail list
>> *Subject:* [389-users] LDAP authentication related - CANNOT change password
>> by running passwd on clients
>>
>>
>>
>> I am stuck in the 389 DS implementation, hope someone could help me out.
>>
>> My situation is that I am trying to establish a cute enterprise environment
>> with VMWorkstation and CentOS.  All guest OSs are CentOS6.3 based.  So far
>> I have got DNS, DHCP, Gateway, File server worked perfectly;  However, the
>> 389 LDAP server here, Hmm... I would say it is partially working.  And this
>> is also where you come in.
>>
>> What does it mean by 'partially working' exactly?  Let me tell you.
>>
>> What happened here is that I've installed and configured 389 DS without
>> SSL/TLS enable, migrated local users on my file server to the LDAP
>> already.  Now, from my DHCP clients, also LDAP clients, I can retrieve
>> information within the LDAP server by running ldapsearch, I can even change
>> to regular users (i.e. user1/user2/.../user10 created on the file server)
>> with Autofs home directory mounted automatically.  Somehow, I cannot change
>> password by running passwd command.
>>
>> Here is what I got when changing.
>> [root at dhcpclient sssd]# *su - user1*
>> [user1 at dhcpclient ~]$
>> [user1 at dhcpclient ~]$ *passwd*
>> Changing password for user user1.
>> Current Password:
>> passwd: Authentication token manipulation error
>> [user1 at dhcpclient ~]$
>>
>> I am new to Linux, so have no idea about the reason behind that.  Is it a
>> LDAP acl issue, or sssd configuration issue, or security pam issue, or
>> whatever else.
>>
>> If you could help me out, that would be great.  Please let me know if you
>> want any configuration files from me.  I don't want to attach everything
>> here to scare you.
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20121101/3d5f6b86/attachment-0001.html>
>>
>> ------------------------------
>>
>> Message: 3
>> Date: Thu, 1 Nov 2012 22:08:06 +0100
>> From: Grzegorz Dwornicki <gd1100 at gmail.com>
>> To: "General discussion list for the 389 Directory server project."
>> 	<389-users at lists.fedoraproject.org>
>> Subject: Re: [389-users] LDAP authentication related - CANNOT change
>> 	password by running passwd on clients
>> Message-ID:
>> 	<CAOP-CUcRNz=9T5DcZjgFv7tyqsAVUp=YxANU7G+4s0NVxpuvNw at mail.gmail.com>
>> Content-Type: text/plain; charset="iso-8859-2"
>>
>> Could you also provide us with error logs from ldap? Do this just after
>> passwd faild. This will tell us more about errors on ldap side (like the
>> possible ACI problems).
>>
>> Passwd hash algorithm for pam_ldap you can configure in /etc/nss_ldap.conf.
>> Search for 'password crypt' and uncomment it. You must make other password
>> lines commented to be sure this works.
>> 1 lis 2012 21:03, "albert.solaris" <albert.solaris at gmail.com> napisał(a):
>>
>>>    I am stuck in the 389 DS implementation, hope someone could help me out.
>>>
>>> My situation is that I am trying to establish a cute enterprise
>>> environment with VMWorkstation and CentOS.  All guest OSs are CentOS6.3
>>> based.  So far I have got DNS, DHCP, Gateway, File server worked
>>> perfectly;  However, the 389 LDAP server here, Hmm... I would say it is
>>> partially working.  And this is also where you come in.
>>>
>>> What does it mean by 'partially working' exactly?  Let me tell you.
>>>
>>> What happened here is that I've installed and configured 389 DS without
>>> SSL/TLS enable, migrated local users on my file server to the LDAP
>>> already.  Now, from my DHCP clients, also LDAP clients, I can retrieve
>>> information within the LDAP server by running ldapsearch, I can even change
>>> to regular users (i.e. user1/user2/.../user10 created on the file server)
>>> with Autofs home directory mounted automatically.  Somehow, I cannot change
>>> password by running passwd command.
>>>
>>> Here is what I got when changing.
>>> [root at dhcpclient sssd]# *su - user1*
>>> [user1 at dhcpclient ~]$
>>> [user1 at dhcpclient ~]$ *passwd*
>>> Changing password for user user1.
>>> Current Password:
>>> passwd: Authentication token manipulation error
>>> [user1 at dhcpclient ~]$
>>>
>>> I am new to Linux, so have no idea about the reason behind that.  Is it a
>>> LDAP acl issue, or sssd configuration issue, or security pam issue, or
>>> whatever else.
>>>
>>> If you could help me out, that would be great.  Please let me know if you
>>> want any configuration files from me.  I don't want to attach everything
>>> here to scare you.
>>>
>>> --
>>> 389 users mailing list
>>> 389-users at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>>
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20121101/0393a779/attachment-0001.html>
>>
>> ------------------------------
>>
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>> End of 389-users Digest, Vol 90, Issue 2
>> ****************************************
> Hi Dan,
>
> Here is my ACI:
>
> ACI for dc=lab,dc=org
> ------------------------------
> (targetattr != "userPassword")
> (version 3.0;
> acl "Enable anonymous access";
> allow (read,compare,search,selfwrite)
> (userdn = "ldap:///anyone")
> ;)
>
> ACI for ou=People,dc=lab,dc=org
> ---------------------------------------------
> (targetattr = "userPassword || telephoneNumber ||
> facsimileTelephoneNumber") (version 3.0;acl "Allow self entry
> modification";allow (write)(userdn = "ldap:///self");)
>
> Yes, I am using sssd on ldap clients which seems to be the default on
> CentOS6.3.
> Could you please kindly point out what/how to check this part? Again, I
> am really new and on the learning journal.
>
> Thanks.
>
>
> ------------------------------
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> End of 389-users Digest, Vol 90, Issue 3
> ****************************************
Since SSSD must be over secure channel, it was never going to work for 
my case.  In addition, I had some issues of getting my 389 DS signed.  
So what I could do is to get LDAP worked first in non-secure mode.

So, I had to refresh some my LDAP clients to RHEL5.8 based.  With the 
default nss_ldap configuration, they are able to talk to my LDAP server 
correctly without any changes of ACI on 389 DS.

Now what I can do is:
. Log in as regular user authenticated by central LDAP server with 
Autofs home directory mounted
. Change clients' passwords with /usr/bin/passwd command without problem

Fortunately, I also set up my self-signed CA and got LDAP signed yesterday.
I can do even more like:
. Retrieve LDAP info via secure/non-secure mode. (#ldapsearch -z / 
#ldapsearch -z -ZZ)

So far my 389 DS is working for both CentOS6.3 and RHEL5.8 in 
secure/non-secure mode.  Cheering!

The only thing I have not worked out yet is that I cannot retrieve user 
email addresses through Thunderbird Addressbox.  I don't why. It is 
working for non-secure mode, but not for secure mode.

I am supposed to see the confirmation windows of digit certificate when 
accessing first time, but it didn't happened for some reasons. To me, it 
seemed to be some connection issue between email clients and 389 server.

Have to work it out in following days.

Any advices and suggestions would be great appreciated!

More information about the 389-users mailing list