Menu
▾
▴
RE: [webmin-l] Webmin Servers, Broadcast/scan
|
From: Craig W. <cra...@az...> - 2006-02-18 01:18:58
|
That's sort of an unfair request. I doubt he's using FDS. If I was going to take a guess...it would be these lines in /etc/ldap.conf #nss_base_passwd ou=People,dc=noam,dc=corp,dc=frk,dc=com #nss_base_shadow ou=People,dc=noam,dc=corp,dc=frk,dc=com #nss_base_passwd ou=People,dc=example,dc=com?one I don't think that they should be commented out but should probably be nss_base_passwd ou=People,dc=noam,dc=corp,dc=frk,dc=com?one nss_base_shadow ou=People,dc=noam,dc=corp,dc=frk,dc=com?one nss_base_passwd ou=People,dc=noam,dc=corp,dc=frk,dc=com?one but that could be ou=Users - it all depends upon how you have Directory Server set up. and I'm guessing that you are using something like RHEL 4 by the ldap.conf below and I have never set up pam_ldap and thus am not qualified to give you an opinion on how it works. I do use FDS and OpenLDAP on various servers all RHEL and have never used pam_ldap and can change passwords from the command line which is what Jamie asked you. i.e. # passwd craig Changing password for user craig. New UNIX password: Retype new UNIX password: LDAP password information changed for craig passwd: all authentication tokens updated successfully. and then to verify that the password change actually worked... # ssh craig@localhost craig@localhost's password: Last login: Fri Jan 27 22:16:45 2006 because what Jamie is suggesting is that if you can do what I just demonstrated, he believes Usermin would authenticate a user. perhaps you should spend a little more time learning how to do handle your own administration because once you can do you own administration, configuring a client tool such as Webmin or Usermin becomes much easier. Craig ---- > On Fri, 2006-02-17 at 15:54 -0800, Khan, Mohammed [SMO] wrote: > Jamie, Please can you please check my file. And let me know what I am doing wrong. > > -----Original Message----- > From: Khan, Mohammed [SMO] > Sent: Friday, February 17, 2006 10:55 AM > To: 'web...@li...' > Subject: RE: [webmin-l] Webmin Servers, Broadcast/scan > > > Morning Jamie, > I am attaching my ldap.conf file please check and let me know what I am doing wrong. If I an able the bindpw I am not able to login to usermin. Please check if the way I have set it up is correct. Do I create a file /etc/ldap.secret and copy the line from ldap.conf file. Please let me know > # @(#)$Id: ldap.conf,v 1.27 2003/01/17 21:37:12 lukeh Exp $ > # > # This is the configuration file for the LDAP nameservice > # switch library and the LDAP PAM module. > # > # PADL Software > # http://www.padl.com > # > > # Your LDAP server. Must be resolvable without using LDAP. > # Multiple hosts may be specified, each separated by a > # space. How long nss_ldap takes to failover depends on > # whether your LDAP client library supports configurable > # network or connect timeouts (see bind_timelimit). > #host 127.0.0.1 > host dublx06.noam.corp.frk.com > > # The distinguished name of the search base. > #base dc=example,dc=com > #base dc=people,dc=noam,dc=corp,dc=frk,dc=com > base dc=noam,dc=corp,dc=frk,dc=com > > # Another way to specify your LDAP server is to provide an > # uri with the server name. This allows to use > # Unix Domain Sockets to connect to a local LDAP Server. > #uri ldap://127.0.0.1/ > #uri ldaps://127.0.0.1/ > #uri ldapi://%2fvar%2frun%2fldapi_sock/ > # Note: %2f encodes the '/' used as directory separator > > # The LDAP version to use (defaults to 3 > # if supported by client library) > ldap_version 3 > > # The distinguished name to bind to the server with. > # Optional: default is to bind anonymously. > #binddn cn=proxyuser,dc=example,dc=com > #binddn cn=Directory Manager > > # The credentials to bind with. > # Optional: default is no credential. > bindpw secret > # The distinguished name to bind to the server with > # if the effective user ID is root. Password is > # stored in /etc/ldap.secret (mode 600) > #rootbinddn cn=manager,dc=example,dc=com > rootbinddn cn=Directory Manager > > # The port. > # Optional: default is 389. > #port 389 > > # The search scope. > #scope sub > #scope one > #scope base > > # Search timelimit > #timelimit 30 > > # Bind timelimit > #bind_timelimit 30 > > # Idle timelimit; client will close connections > # (nss_ldap only) if the server has not been contacted > # for the number of seconds specified below. > #idle_timelimit 3600 > > # Filter to AND with uid=%s > #pam_filter objectclass=account > pam_filter objectclass=posixAccount > > # The user ID attribute (defaults to uid) > pam_login_attribute uid > > # Search the root DSE for the password policy (works > # with Netscape Directory Server) > #pam_lookup_policy yes > > # Check the 'host' attribute for access control > # Default is no; if set to yes, and user has no > # value for the host attribute, and pam_ldap is > # configured for account management (authorization) > # then the user will not be allowed to login. > #pam_check_host_attr yes > > # Group to enforce membership of > #pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com > pam_groupdn cn=TestGroup,ou=Groups,dc=noam,dc=corp,dc=frk,dc=com > #pam_groupdn cn=dublx09,ou=Groups,dc=noam,dc=corp,dc=frk,dc=com > > # Group member attribute > #pam_member_attribute uniquemember > pam_member_attribute memberUid > > # Specify a minium or maximum UID number allowed > #pam_min_uid 0 > #pam_max_uid 0 > > # Template login attribute, default template user > # (can be overriden by value of former attribute > # in user's entry) > #pam_login_attribute userPrincipalName > #pam_template_login_attribute uid > #pam_template_login nobody > > # HEADS UP: the pam_crypt, pam_nds_passwd, > # and pam_ad_passwd options are no > # longer supported. > > # Do not hash the password at all; presume > # the directory server will do it, if > # necessary. This is the default. > #pam_password clear > > # Hash password locally; required for University of > # Michigan LDAP server, and works with Netscape > # Directory Server if you're using the UNIX-Crypt > # hash mechanism and not using the NT Synchronization > # service. > #pam_password crypt > > # Remove old password first, then update in > # cleartext. Necessary for use with Novell > # Directory Services (NDS) > #pam_password nds > > # Update Active Directory password, by > # creating Unicode password and updating > # unicodePwd attribute. > #pam_password ad > > # Use the OpenLDAP password change > # extended operation to update the password. > #pam_password exop > #pam_password crypt > > # Redirect users to a URL or somesuch on password > # changes. > #pam_password_prohibit_message Please visit http://internal to change your password. > > # RFC2307bis naming contexts > # Syntax: > # nss_base_XXX base?scope?filter > # where scope is {base,one,sub} > # and filter is a filter to be &'d with the > # default filter. > # You can omit the suffix eg: > # nss_base_passwd ou=People, > # to append the default base DN but this > # may incur a small performance impact. > #nss_base_passwd ou=People,dc=noam,dc=corp,dc=frk,dc=com > #nss_base_shadow ou=People,dc=noam,dc=corp,dc=frk,dc=com > #nss_base_passwd ou=People,dc=example,dc=com?one > #nss_base_shadow ou=People,dc=example,dc=com?one > #nss_base_group ou=Group,dc=example,dc=com?one > #nss_base_group ou=Groups,dc=noam,dc=corp,dc=frk,dc=com > #nss_base_hosts ou=Hosts,dc=example,dc=com?one > #nss_base_services ou=Services,dc=example,dc=com?one > #nss_base_networks ou=Networks,dc=example,dc=com?one > #nss_base_protocols ou=Protocols,dc=example,dc=com?one > #nss_base_rpc ou=Rpc,dc=example,dc=com?one > #nss_base_ethers ou=Ethers,dc=example,dc=com?one > #nss_base_netmasks ou=Networks,dc=example,dc=com?ne > #nss_base_bootparams ou=Ethers,dc=example,dc=com?one > #nss_base_aliases ou=Aliases,dc=example,dc=com?one > #nss_base_netgroup ou=Netgroup,dc=example,dc=com?one > > # attribute/objectclass mapping > # Syntax: > #nss_map_attribute rfc2307attribute mapped_attribute > #nss_map_objectclass rfc2307objectclass mapped_objectclass > > # configure --enable-nds is no longer supported. > # For NDS now do: > #nss_map_attribute uniqueMember member > > # configure --enable-mssfu-schema is no longer supported. > # For MSSFU now do: > #nss_map_objectclass posixAccount User > #nss_map_attribute uid msSFUName > #nss_map_attribute uniqueMember posixMember > #nss_map_attribute userPassword msSFUPassword > #nss_map_attribute homeDirectory msSFUHomeDirectory > #nss_map_objectclass posixGroup Group > #pam_login_attribute msSFUName > #pam_filter objectclass=User > #pam_password ad > > # configure --enable-authpassword is no longer supported > # For authPassword support, now do: > #nss_map_attribute userPassword authPassword > #pam_password nds > > # For IBM SecureWay support, do: > #nss_map_objectclass posixAccount aixAccount > #nss_map_attribute uid userName > #nss_map_attribute gidNumber gid > #nss_map_attribute uidNumber uid > #nss_map_attribute userPassword passwordChar > #nss_map_objectclass posixGroup aixAccessGroup > #nss_map_attribute cn dublx09 > #nss_map_attribute memberUid member > #pam_login_attribute userName > #pam_filter objectclass=aixAccount > #pam_password clear > > # Netscape SDK LDAPS > #ssl on > > # Netscape SDK SSL options > #sslpath /etc/ssl/certs/cert7.db > > # OpenLDAP SSL mechanism > # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 > #ssl start_tls > #ssl on > > # OpenLDAP SSL options > # Require and verify server certificate (yes/no) > # Default is "no" > #tls_checkpeer yes > > # CA certificates for server certificate verification > # At least one of these are required if tls_checkpeer is "yes" > #tls_cacertfile /etc/ssl/ca.cert > #tls_cacertdir /etc/ssl/certs > > # Seed the PRNG if /dev/urandom is not provided > #tls_randfile /var/run/egd-pool > > # SSL cipher suite > # See man ciphers for syntax > #tls_ciphers TLSv1 > > # Client certificate and key > # Use these, if your server requires client authentication. > #tls_cert > #tls_key > ssl no > > -----Original Message----- > From: web...@li... > [mailto:web...@li...]On Behalf Of Jamie > Cameron > Sent: Friday, February 17, 2006 9:02 AM > To: web...@li... > Subject: RE: [webmin-l] Webmin Servers, Broadcast/scan > > > That file should already exist somewhere under /etc on your system. It may be called something different too, like pam_ldap.conf > > - Jamie > > -----Original Message----- > > From: "Khan, Mohammed [SMO]" <MK...@fr...> > Subj: RE: [webmin-l] Webmin Servers, Broadcast/scan > Date: Fri 17 Feb 2006 4:21 pm > Size: 2K > To: <web...@li...> > > I don't have that file so shall I create these files, just fyi my server linux AS2.1. If I do what shall I put in the file. > > -----Original Message----- > From: web...@li... > [mailto:web...@li...]On Behalf Of Jamie > Cameron > Sent: Thursday, February 16, 2006 5:26 PM > To: web...@li... > Subject: RE: [webmin-l] Webmin Servers, Broadcast/scan > > > Make sure that in your PAM LDAP config file (/etc/pam_ldap/auth_ldap.conf > on my system) that the binddn and rootbinddn parameters are set to your > LDAP administration user, and that the passwords in the bindpw parameter and > /etc/ldap.secret file are set to match. Otherwise PAM will connect to LDAP > as the user who is changing his password, which will generally not be allowed. > > - Jamie > > On 17/Feb/2006 11:43 Khan, Mohammed [SMO] wrote .. > > Jamie, now i am getting this error: > > Feb 16 16:36:29 dublx09 l/usermin/changepass/changepass.cgi: pam_ldap: > > error trying to bind as user "uid=mkhan,ou=People, dc=noam,dc=corp,dc=frk,dc=com" > > (Invalid credentials) > > > > -----Original Message----- > > From: web...@li... > > [mailto:web...@li...]On Behalf Of Jamie > > Cameron > > Sent: Friday, February 17, 2006 2:10 AM > > To: web...@li... > > Subject: RE: [webmin-l] Webmin Servers, Broadcast/scan > > > > > > Hi, > > That looks OK.. > > Can LDAP users use the command-line passwd command to change their passwords? > > > > - Jamie > > > > -----Original Message----- > > > > From: "Khan, Mohammed [SMO]" <MK...@fr...> > > Subj: RE: [webmin-l] Webmin Servers, Broadcast/scan > > Date: Fri 17 Feb 2006 10:07 am > > Size: 2K > > To: <web...@li...> > > > > Hi Jamie, > > Here is my passwd file: Pls tell me what I am doing worng. > > #%PAM-1.0 > > password required pam_cracklib.so > > password sufficient pam_ldap.so > > password sufficient pam_unix.so > > password required pam_deny.so > > > > > > > > Thanks > > Mohammed > > > > -----Original Message----- > > From: web...@li... > > [mailto:web...@li...]On Behalf Of Jamie > > Cameron > > Sent: Thursday, February 16, 2006 2:46 PM > > To: web...@li... > > Subject: RE: [webmin-l] Webmin Servers, Broadcast/scan > > > > > > Just make sure that /etc/pam.d/passwd is setup to talk to LDAP, and that > > Usermin's > > Change Password module is setup to use PAM. > > > > - Jamie > > > > On 17/Feb/2006 09:42 Khan, Mohammed [SMO] wrote .. > > > Hello Jamie, > > > Do you know how can I use usermin to change my ldap password. Please > > need > > > your help. > > > > > > Thanks > > > Mohammed > > > |
