[389-users] Password + anything works ?
Ali Jawad
ali.jawad at splendor.net
Tue Nov 13 11:51:00 UTC 2012
Hi All
I am trying to change the password using passwd, please see the below :
[xyz at server ~]$ passwd
Changing password for user xyz.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
*LDAP password information update failed: Confidentiality required*
*Operation requires a secure connection.*
The error log shows
Nov 13 11:47:17 HA-Dev-Nymgo-100-45 passwd: pam_unix(passwd:chauthtok):
user "xyz" does not exist in /etc/passwd
Pam config follows :
/etc/pam.d/passwd
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
~
/etc/pam.d/system-auth
#/etc/pam.d/system-auth
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account sufficient pam_unix.so
account sufficient pam_ldap.so use_first_pass
account required pam_deny.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
#password required pam_cracklib.so retry=3 minlen=2
dcredit=0 ucredit=0
#password sufficient pam_unix.so nullok use_authtok md5 shadow
#password sufficient pam_ldap.so
#password required pam_deny.so
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so
~
~
On Tue, Nov 13, 2012 at 11:15 AM, Arpit Tolani <arpittolani at gmail.com>wrote:
> Hello
>
>
>
> On Tue, Nov 13, 2012 at 1:10 PM, Ali Jawad <ali.jawad at splendor.net> wrote:
> > Hi Arpit
> > Actually I was attempting to change the password using command line
> >
> > passwd
> >
> > I.e. each user changes his own password, is passwd the right choice here
> ?
> >
>
> Yes, passwd is right choice, considering you have pam_ldap.so properly
> configured & yes passwd dont need ssl/tls to be configured.
>
>
> > Regards
> >
> > On Mon, Nov 12, 2012 at 11:27 PM, Arpit Tolani <arpittolani at gmail.com>
> > wrote:
> >>
> >> Hello
> >>
> >> On Tue, Nov 13, 2012 at 12:33 AM, Ali Jawad <ali.jawad at splendor.net>
> >> wrote:
> >> > In that case I have a major overhaul that I need to complete, change
> >> > password is not working for me, my assumption is that it only works
> with
> >> > TLS
> >> > enabled between the client and the server, I have tried to get TLS to
> >> > run a
> >> > few times but could not get it to run so far. Am I right about the
> >> > assumption that I need encryption between the server and the clients
> for
> >> > password change to work ?
> >> > Regards
> >> >
> >>
> >> When using ldappasswd command, Yes ssl/tls is mandatory, Try changing
> >> password using ldapmodify, it doesnt required ssl/tls connection.
> >>
> >> >
> >> > On Mon, Nov 12, 2012 at 8:56 PM, Mark Reynolds <mareynol at redhat.com>
> >> > wrote:
> >> >>
> >> >> Only "crypt" uses the first 8 characters, so any other scheme would
> be
> >> >> fine. After you change the scheme you will need to force all the
> users
> >> >> to
> >> >> change their passwords - otherwise their crypt passwords will still
> be
> >> >> present.
> >> >>
> >> >>
> >> >>
> >> >> On 11/12/2012 01:52 PM, Ali Jawad wrote:
> >> >>
> >> >> Hi All
> >> >> This is an all Linux environment with 389 being used as the sole
> >> >> authentication mechanism, I do believe I am using crypt, I am out of
> >> >> office
> >> >> right now, what should I use instead of crypt to match more
> characters
> >> >> ?
> >> >> Regards
> >> >>
> >> >> On Mon, Nov 12, 2012 at 7:02 PM, Mark Reynolds <mareynol at redhat.com>
> >> >> wrote:
> >> >>>
> >> >>> Also what password storage scheme are you using? For example
> "crypt"
> >> >>> only checks the first 8 characters of a password.
> >> >>>
> >> >>>
> >> >>> On 11/12/2012 11:18 AM, Dan Lavu wrote:
> >> >>>
> >> >>> In regards to a password policy? Just 389 or are you using winsync
> >> >>> with
> >> >>> AD? Because the password policy from AD does not transfer over. Also
> >> >>> they
> >> >>> are some extra steps if you want to setup an OU based password
> policy
> >> >>> but if
> >> >>> you just do it for the entire directory through ‘configuration’ it
> >> >>> works
> >> >>> with no issues.
> >> >>>
> >> >>> Dan
> >> >>>
> >> >>> From: Ali Jawad <ali.jawad at splendor.net>
> >> >>> Sent: November 12, 2012 6:00 AM
> >> >>> To: General discussion list for the 389 Directory server project.
> >> >>> Subject: [389-users] Password + anything works ?
> >> >>>
> >> >>> Hi
> >> >>> I just noticed that you can use the password+ANYLetters and it will
> >> >>> work,
> >> >>> I.e. if the password is xyz xyz99 or xyzABC will work as well, is
> this
> >> >>> a
> >> >>> misconfiguration on my part or a bug ?
> >> >>> Regards
> >> >>>
> >>
> >> Regards
> >> Arpit Tolani
> >> --
> >> 389 users mailing list
> >> 389-users at lists.fedoraproject.org
> >> https://admin.fedoraproject.org/mailman/listinfo/389-users
> >
> >
> >
> >
> > --
> > Ali Jawad
> > Information Systems Manager
> > CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA
> > Splendor Telecom (www.splendor.net)
> > Beirut, Lebanon
> > Phone: +9611373725/ext 116
> > FAX: +9611375554
> >
> >
> >
> > --
> > 389 users mailing list
> > 389-users at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/389-users
>
> --
> Regards
> Arpit Tolani
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
--
*Ali Jawad
*
*Information Systems Manager
CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA
*
*Splendor Telecom (www.splendor.net)
Beirut, Lebanon
Phone: +9611373725/ext 116
FAX: +9611375554
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20121113/f5947357/attachment.html>
More information about the 389-users
mailing list