[389-users] Password + anything works ?

Grzegorz Dwornicki gd1100 at gmail.com
Tue Nov 13 11:59:39 UTC 2012 

What about NSS configuration? Maybe there is configuration making ssl
mandatory?

Greg
13 lis 2012 12:51, "Ali Jawad" <ali.jawad at splendor.net> napisaƂ(a):

> Hi All
> I am trying to change the password using passwd, please see the below :
>
> [xyz at server ~]$ passwd
> Changing password for user xyz.
> Enter login(LDAP) password:
> New UNIX password:
> Retype new UNIX password:
> *LDAP password information update failed: Confidentiality required*
> *Operation requires a secure connection.*
>
>  The error log shows
> Nov 13 11:47:17 HA-Dev-Nymgo-100-45 passwd: pam_unix(passwd:chauthtok):
> user "xyz" does not exist in /etc/passwd
>
> Pam config follows :
>
> /etc/pam.d/passwd
> #%PAM-1.0
> auth       include      system-auth
> account    include      system-auth
> password   include      system-auth
> ~
>
> /etc/pam.d/system-auth
>
> #/etc/pam.d/system-auth
> #%PAM-1.0
>
> auth            required          pam_env.so
> auth            sufficient      pam_unix.so
> auth            sufficient      pam_ldap.so  use_first_pass
> auth            required          pam_deny.so
>
> account  sufficient     pam_unix.so
> account  sufficient     pam_ldap.so use_first_pass
> account  required         pam_deny.so
>
> password    requisite     pam_cracklib.so try_first_pass retry=3
> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password    sufficient    pam_ldap.so use_authtok
> password    required      pam_deny.so
>
>
> #password        required        pam_cracklib.so retry=3 minlen=2
>  dcredit=0  ucredit=0
> #password        sufficient      pam_unix.so nullok use_authtok md5 shadow
> #password        sufficient      pam_ldap.so
> #password        required          pam_deny.so
>
> session  optional         pam_mkhomedir.so skel=/etc/skel/ umask=0022
> session  required         pam_limits.so
> session  required         pam_unix.so
> session  optional         pam_ldap.so
> ~
> ~
>
>
>
> On Tue, Nov 13, 2012 at 11:15 AM, Arpit Tolani <arpittolani at gmail.com>wrote:
>
>> Hello
>>
>>
>>
>> On Tue, Nov 13, 2012 at 1:10 PM, Ali Jawad <ali.jawad at splendor.net>
>> wrote:
>> > Hi Arpit
>> > Actually I was attempting to change the password using command line
>> >
>> > passwd
>> >
>> > I.e. each user changes his own password, is passwd the right choice
>> here ?
>> >
>>
>> Yes, passwd is right choice, considering you have pam_ldap.so properly
>> configured & yes passwd dont need ssl/tls to be configured.
>>
>>
>> > Regards
>> >
>> > On Mon, Nov 12, 2012 at 11:27 PM, Arpit Tolani <arpittolani at gmail.com>
>> > wrote:
>> >>
>> >> Hello
>> >>
>> >> On Tue, Nov 13, 2012 at 12:33 AM, Ali Jawad <ali.jawad at splendor.net>
>> >> wrote:
>> >> > In that case I have a major overhaul that I need to complete, change
>> >> > password is not working for me, my assumption is that it only works
>> with
>> >> > TLS
>> >> > enabled between the client and the server, I have tried to get TLS to
>> >> > run a
>> >> > few times but could not get it to run so far. Am I right about the
>> >> > assumption that I need encryption between the server and the clients
>> for
>> >> > password change to work ?
>> >> > Regards
>> >> >
>> >>
>> >> When using ldappasswd command, Yes ssl/tls is mandatory, Try changing
>> >> password using ldapmodify, it doesnt required ssl/tls connection.
>> >>
>> >> >
>> >> > On Mon, Nov 12, 2012 at 8:56 PM, Mark Reynolds <mareynol at redhat.com>
>> >> > wrote:
>> >> >>
>> >> >> Only "crypt" uses the first 8 characters, so any other scheme would
>> be
>> >> >> fine.  After you change the scheme you will need to force all the
>> users
>> >> >> to
>> >> >> change their passwords - otherwise their crypt passwords will still
>> be
>> >> >> present.
>> >> >>
>> >> >>
>> >> >>
>> >> >> On 11/12/2012 01:52 PM, Ali Jawad wrote:
>> >> >>
>> >> >> Hi All
>> >> >> This is an all Linux environment with 389 being used as the sole
>> >> >> authentication mechanism, I do believe I am using crypt, I am out of
>> >> >> office
>> >> >> right now, what should I use instead of crypt to match more
>> characters
>> >> >> ?
>> >> >> Regards
>> >> >>
>> >> >> On Mon, Nov 12, 2012 at 7:02 PM, Mark Reynolds <mareynol at redhat.com
>> >
>> >> >> wrote:
>> >> >>>
>> >> >>> Also what password storage scheme are you using?  For example
>> "crypt"
>> >> >>> only checks the first 8 characters of a password.
>> >> >>>
>> >> >>>
>> >> >>> On 11/12/2012 11:18 AM, Dan Lavu wrote:
>> >> >>>
>> >> >>> In regards to a password policy? Just 389 or are you using winsync
>> >> >>> with
>> >> >>> AD? Because the password policy from AD does not transfer over.
>> Also
>> >> >>> they
>> >> >>> are some extra steps if you want to setup an OU based password
>> policy
>> >> >>> but if
>> >> >>> you just do it for the entire directory through 'configuration' it
>> >> >>> works
>> >> >>> with no issues.
>> >> >>>
>> >> >>> Dan
>> >> >>>
>> >> >>> From: Ali Jawad <ali.jawad at splendor.net>
>> >> >>> Sent: November 12, 2012 6:00 AM
>> >> >>> To: General discussion list for the 389 Directory server project.
>> >> >>> Subject: [389-users] Password + anything works ?
>> >> >>>
>> >> >>> Hi
>> >> >>> I just noticed that you can use the password+ANYLetters and it will
>> >> >>> work,
>> >> >>> I.e. if the password is xyz xyz99 or xyzABC will work as well, is
>> this
>> >> >>> a
>> >> >>> misconfiguration on my part or a bug ?
>> >> >>> Regards
>> >> >>>
>> >>
>> >> Regards
>> >> Arpit Tolani
>> >> --
>> >> 389 users mailing list
>> >> 389-users at lists.fedoraproject.org
>> >> https://admin.fedoraproject.org/mailman/listinfo/389-users
>> >
>> >
>> >
>> >
>> > --
>> > Ali Jawad
>> > Information Systems Manager
>> > CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA
>> > Splendor Telecom (www.splendor.net)
>> > Beirut, Lebanon
>> > Phone: +9611373725/ext 116
>> > FAX: +9611375554
>> >
>> >
>> >
>> > --
>> > 389 users mailing list
>> > 389-users at lists.fedoraproject.org
>> > https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>> --
>> Regards
>> Arpit Tolani
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>
>
>
> --
> *Ali Jawad
> *
> *Information Systems Manager
> CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA
> *
> *Splendor Telecom (www.splendor.net)
> Beirut, Lebanon
> Phone: +9611373725/ext 116
> FAX: +9611375554
>
> *
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20121113/cbf69f2e/attachment.html>

More information about the 389-users mailing list