aioshin
Aug 8 2006, 03:37 AM
ok, I have the LDAP server reside at Centos, and client on Mandriva boxs... I am able to login from the client using the users defined at LDAP server... now I want to allow each LDAP users to change their password by the command
but when trying that, it just gave the below error
ok, here's my /etc/openldap/slapd.conf for add info
and here's the entries on client pc's /etc/pam.d/system-auth
basically, by the above setup, the Mandriva Box allows local users and LDAP users to Login.
.
Now, any idea what should I put on my config to allow the user to change their password using the command passwd?
TIA!
CODE
passwd
but when trying that, it just gave the below error
CODE
[ldapuser3@nixbox ~]$ passwd
Changing password for user ldapuser3.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
New password:
Re-enter new password:
LDAP password information update failed: Can't contact LDAP server
passwd: Permission denied
[ldapuser3@nixbox ~]$
Changing password for user ldapuser3.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
New password:
Re-enter new password:
LDAP password information update failed: Can't contact LDAP server
passwd: Permission denied
[ldapuser3@nixbox ~]$
ok, here's my /etc/openldap/slapd.conf for add info
CODE
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
loglevel 296
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
#
database ldbm
suffix "dc=duriancity,dc=dvo"
rootdn "cn=ldapadmin,dc=duriancity,dc=dvo"
rootpw {SSHA}POzRnaPcqsdffejfefedlacCVNuC7N99J3+u
directory /var/lib/ldap/duriancity.dvo
mode 0600
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
loglevel 296
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
#
database ldbm
suffix "dc=duriancity,dc=dvo"
rootdn "cn=ldapadmin,dc=duriancity,dc=dvo"
rootpw {SSHA}POzRnaPcqsdffejfefedlacCVNuC7N99J3+u
directory /var/lib/ldap/duriancity.dvo
mode 0600
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
and here's the entries on client pc's /etc/pam.d/system-auth
CODE
#/etc/pam.d/system-auth
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so
auth sufficient pam_ldap.so likeauth nullok use_first_pass
auth required pam_deny.so
account sufficient pam_unix.so
account sufficient pam_ldap.so use_first_pass
account required pam_deny.so
password required pam_cracklib.so retry=3 minlen=2 dcredit=0 ucredit=0
password sufficient pam_unix.so nullok use_authtok md5 shadow
password sufficient pam_ldap.so
password required pam_deny.so
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_unix.so
auth sufficient pam_ldap.so likeauth nullok use_first_pass
auth required pam_deny.so
account sufficient pam_unix.so
account sufficient pam_ldap.so use_first_pass
account required pam_deny.so
password required pam_cracklib.so retry=3 minlen=2 dcredit=0 ucredit=0
password sufficient pam_unix.so nullok use_authtok md5 shadow
password sufficient pam_ldap.so
password required pam_deny.so
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so
basically, by the above setup, the Mandriva Box allows local users and LDAP users to Login.
.
Now, any idea what should I put on my config to allow the user to change their password using the command passwd?
TIA!
Maybe try:
instead.
CODE
ldappasswd
instead.
it wont, I still get this when doin ldappaswd
actually, the server is not yet configured to use ssl...
should I have to configure ldap to use ssl first before I can allow users to password change?
CODE
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
actually, the server is not yet configured to use ssl...
should I have to configure ldap to use ssl first before I can allow users to password change?
I think if it's trying to communicate over SSL, it would need to be able to accept that type of connection.
I'm presuming it's saslauthd service, so should be some sort of option within saslauthd config or even ldap config to ensure that SSL type connections are allowed.
Unfortunately, I've not used ldap extensively, but I believe this would be the cause, from when I've had similar issues trying to get mysqld to authenticate logins with my postfix server.
I'm presuming it's saslauthd service, so should be some sort of option within saslauthd config or even ldap config to ensure that SSL type connections are allowed.
Unfortunately, I've not used ldap extensively, but I believe this would be the cause, from when I've had similar issues trying to get mysqld to authenticate logins with my postfix server.
here's the ldap.conf on my client mandriva box, part that pertains to ssl
thus are commented, which means, ssl or whatever above has no effect since not in use...
thanks ian.. maybe I should ggogle more for an answer
CODE
# Netscape SDK LDAPS
#ssl on
# Netscape SDK SSL options
#sslpath /etc/ssl/certs/cert7.db
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#ssl on
# Netscape SDK SSL options
#sslpath /etc/ssl/certs/cert7.db
# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
thus are commented, which means, ssl or whatever above has no effect since not in use...
thanks ian.. maybe I should ggogle more for an answer
Once you've removed the comments, use:
to make sure it's listening on port 636. I think you should only need to uncomment the OpenLDAP section.
The way I read it you have two options. One to use SSL on the standard port with tls, or to use SSL with ldaps.
CODE
netstat -tan
to make sure it's listening on port 636. I think you should only need to uncomment the OpenLDAP section.
The way I read it you have two options. One to use SSL on the standard port with tls, or to use SSL with ldaps.
ok, the problem has been solved 
how?
its an ACL issue. on my slapd.con, I added the ff:
Details below for the ACL above, taken from openldap docs - link
the on the client box, I change /etc/pam.d/passwd:
original file on mandrivaLE2005
though with the above input on /etc/pam.d/passwd, the ldap user will be able to change its password using the passwd command but it will prompt to enter the password many times which is not normal... see below
then, i found out by googling that I have to change /etc/pam.d/passwd to something like below:
then when ldapuser1001 try to change its password by the passwd command:
its now behaving normally..
note that its a basic install... no tls, no ssl.. so all ldap traffic uses port 389... and Im really new unto it, so basically, not yet secure
how?
its an ACL issue. on my slapd.con, I added the ff:
CODE
access to attr=userPassword
by self write
by anonymous auth
by dn.base="cn=Manager,dc=duriancity,dc=dvo" write
by * none
access to *
by self write
by dn.base="cn=Manager,dc=duriancity,dc=dvo" write
by * read
by self write
by anonymous auth
by dn.base="cn=Manager,dc=duriancity,dc=dvo" write
by * none
access to *
by self write
by dn.base="cn=Manager,dc=duriancity,dc=dvo" write
by * read
Details below for the ACL above, taken from openldap docs - link
QUOTE
As this is the first database, the controls also apply to entries not held in any database (such as the Root DSE). For all applicable entries, the userPassword attribute is writable by the entry itself and by the "admin" entry. It may be used for authentication/authorization purposes, but is otherwise not readable. All other attributes are writable by the entry and the "admin" entry, but may be read by all users (authenticated or not).
the on the client box, I change /etc/pam.d/passwd:
original file on mandrivaLE2005
CODE
#%PAM-1.0
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
though with the above input on /etc/pam.d/passwd, the ldap user will be able to change its password using the passwd command but it will prompt to enter the password many times which is not normal... see below
CODE
[ldapuser1001@nixbox ken]$ passwd
Changing password for user ldapuser1001.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
New password:
Re-enter new password:
LDAP password information changed for ldapuser1001
passwd: all authentication tokens updated successfully.
Changing password for user ldapuser1001.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
New password:
Re-enter new password:
LDAP password information changed for ldapuser1001
passwd: all authentication tokens updated successfully.
then, i found out by googling that I have to change /etc/pam.d/passwd to something like below:
CODE
password sufficient pam_ldap.so
password required pam_unix.so nullok obscure min=4 max=8
password required pam_unix.so nullok obscure min=4 max=8
then when ldapuser1001 try to change its password by the passwd command:
CODE
[ldapuser1001@nixbox ken]$ passwd
Changing password for user ldapuser1001.
Enter login(LDAP) password:
New password:
Re-enter new password:
LDAP password information changed for ldapuser1001
passwd: all authentication tokens updated successfully.
Changing password for user ldapuser1001.
Enter login(LDAP) password:
New password:
Re-enter new password:
LDAP password information changed for ldapuser1001
passwd: all authentication tokens updated successfully.
its now behaving normally..
note that its a basic install... no tls, no ssl.. so all ldap traffic uses port 389... and Im really new unto it, so basically, not yet secure
'IT' 카테고리의 다른 글
| Final Glance: Internet companies (0) | 2008.11.05 |
|---|---|
| 10 best features in Windows 7 for IT professionals (0) | 2008.10.29 |
| openLDAP replication manager password change (0) | 2008.10.28 |
| Robots Get Housetrained (0) | 2008.10.28 |
| CenturyTel to acquire Embarq in $5.8B deal (0) | 2008.10.28 |
