Menu
▾
▴
RE: [webmin-l] Webmin Servers, Broadcast/scan
|
From: Khan, M. [SMO] <MK...@fr...> - 2006-02-23 21:58:24
|
Thanks Jamie, it worked...Please close my case. Thanks much. -----Original Message----- From: web...@li... [mailto:web...@li...]On Behalf Of Jamie Cameron Sent: Wednesday, February 22, 2006 2:19 PM To: web...@li... Subject: RE: [webmin-l] Webmin Servers, Broadcast/scan If changing the password at the command line works, give this a try : 1) Go to the Usermin Configuration module 2) Click on Usermin Module Configuration 3) Click on Change Password 4) Set the 'Change with' option to 'Use command', and enter /usr/bin/passwd into the adjacent text box. 5) Click Save. - Jamie On 22/Feb/2006 16:51 Khan, Mohammed [SMO] wrote .. > Changing password using command line works fine. Only problem I have is > changing password using usermin. It is giving error > Feb 22 14:45:02 dublx09 l/usermin/changepass/changepass.cgi: pam_ldap: > error trying t > as user "uid=3Dmkhan,ou=3DPeople, dc=3Dnoam,dc=3Dcorp,dc=3Dfrk,dc=3Dcom"= (Invalid > credentials) >=20 > -----Original Message----- > From: web...@li... > [mailto:web...@li...]On Behalf Of Craig > White > Sent: Friday, February 17, 2006 5:19 PM > To: web...@li... > Subject: RE: [webmin-l] Webmin Servers, Broadcast/scan >=20 >=20 > That's sort of an unfair request. >=20 > I doubt he's using FDS. >=20 > If I was going to take a guess...it would be these lines > in /etc/ldap.conf >=20 > #nss_base_passwd ou=3DPeople,dc=3Dnoam,dc=3Dcorp,dc=3Dfrk,dc=3Dcom > #nss_base_shadow ou=3DPeople,dc=3Dnoam,dc=3Dcorp,dc=3Dfrk,dc=3Dcom > #nss_base_passwd ou=3DPeople,dc=3Dexample,dc=3Dcom?one >=20 > I don't think that they should be commented out but should probably be >=20 > nss_base_passwd ou=3DPeople,dc=3Dnoam,dc=3Dcorp,dc=3Dfrk,dc=3Dcom= ?one > nss_base_shadow ou=3DPeople,dc=3Dnoam,dc=3Dcorp,dc=3Dfrk,dc=3Dcom= ?one > nss_base_passwd ou=3DPeople,dc=3Dnoam,dc=3Dcorp,dc=3Dfrk,dc=3Dcom= ?one >=20 > but that could be ou=3DUsers - it all depends upon how you have Directory > Server set up. >=20 > and I'm guessing that you are using something like RHEL 4 by the ldap.conf > below and I have never set up pam_ldap and thus am not qualified to give > you an opinion on how it works. >=20 > I do use FDS and OpenLDAP on various servers all RHEL and have never used > pam_ldap and can change passwords from the command line which is what Jam= ie > asked you. >=20 > i.e. >=20 > # passwd craig > Changing password for user craig. > New UNIX password: > Retype new UNIX password: > LDAP password information changed for craig > passwd: all authentication tokens updated successfully. >=20 > and then to verify that the password change actually worked... > # ssh craig@localhost > craig@localhost's password: > Last login: Fri Jan 27 22:16:45 2006 >=20 > because what Jamie is suggesting is that if you can do what I just demons= trated, > he believes Usermin would authenticate a user. >=20 > perhaps you should spend a little more time learning how to do handle your > own administration because once you can do you own administration, config= uring > a client tool such as Webmin or Usermin becomes much easier. >=20 > Craig > ---- > >=20 > On Fri, 2006-02-17 at 15:54 -0800, Khan, Mohammed [SMO] wrote: > > Jamie, Please can you please check my file. And let me know what I am > doing wrong. > >=20 > > -----Original Message----- > > From: Khan, Mohammed [SMO]=20 > > Sent: Friday, February 17, 2006 10:55 AM > > To: 'web...@li...' > > Subject: RE: [webmin-l] Webmin Servers, Broadcast/scan > >=20 > >=20 > > Morning Jamie, > > I am attaching my ldap.conf file please check and let me know what I > am doing wrong. If I an able the bindpw I am not able to login to user= min. > Please check if the way I have set it up is correct. Do I create a file > /etc/ldap.secret and copy the line from ldap.conf file. Please let me > know > > # @(#)$Id: ldap.conf,v 1.27 2003/01/17 21:37:12 lukeh Exp $ > > # > > # This is the configuration file for the LDAP nameservice > > # switch library and the LDAP PAM module. > > # > > # PADL Software > > # http://www.padl.com > > # > >=20 > > # Your LDAP server. Must be resolvable without using LDAP. > > # Multiple hosts may be specified, each separated by a > > # space. How long nss_ldap takes to failover depends on > > # whether your LDAP client library supports configurable > > # network or connect timeouts (see bind_timelimit). > > #host 127.0.0.1 > > host dublx06.noam.corp.frk.com > >=20 > > # The distinguished name of the search base. > > #base dc=3Dexample,dc=3Dcom > > #base dc=3Dpeople,dc=3Dnoam,dc=3Dcorp,dc=3Dfrk,dc=3Dcom > > base dc=3Dnoam,dc=3Dcorp,dc=3Dfrk,dc=3Dcom > >=20 > > # Another way to specify your LDAP server is to provide an > > # uri with the server name. This allows to use > > # Unix Domain Sockets to connect to a local LDAP Server. > > #uri ldap://127.0.0.1/ > > #uri ldaps://127.0.0.1/ > > #uri ldapi://%2fvar%2frun%2fldapi_sock/ > > # Note: %2f encodes the '/' used as directory separator > >=20 > > # The LDAP version to use (defaults to 3 > > # if supported by client library) > > ldap_version 3 > >=20 > > # The distinguished name to bind to the server with. > > # Optional: default is to bind anonymously. > > #binddn cn=3Dproxyuser,dc=3Dexample,dc=3Dcom > > #binddn cn=3DDirectory Manager > >=20 > > # The credentials to bind with. > > # Optional: default is no credential. > > bindpw secret > > # The distinguished name to bind to the server with > > # if the effective user ID is root. Password is > > # stored in /etc/ldap.secret (mode 600) > > #rootbinddn cn=3Dmanager,dc=3Dexample,dc=3Dcom > > rootbinddn cn=3DDirectory Manager > >=20 > > # The port. > > # Optional: default is 389. > > #port 389 > >=20 > > # The search scope. > > #scope sub > > #scope one > > #scope base > >=20 > > # Search timelimit > > #timelimit 30 > >=20 > > # Bind timelimit > > #bind_timelimit 30 > >=20 > > # Idle timelimit; client will close connections > > # (nss_ldap only) if the server has not been contacted > > # for the number of seconds specified below. > > #idle_timelimit 3600 > >=20 > > # Filter to AND with uid=3D%s > > #pam_filter objectclass=3Daccount > > pam_filter objectclass=3DposixAccount > >=20 > > # The user ID attribute (defaults to uid) > > pam_login_attribute uid > >=20 > > # Search the root DSE for the password policy (works > > # with Netscape Directory Server) > > #pam_lookup_policy yes > >=20 > > # Check the 'host' attribute for access control > > # Default is no; if set to yes, and user has no > > # value for the host attribute, and pam_ldap is > > # configured for account management (authorization) > > # then the user will not be allowed to login. > > #pam_check_host_attr yes > >=20 > > # Group to enforce membership of > > #pam_groupdn cn=3DPAM,ou=3DGroups,dc=3Dexample,dc=3Dcom > > pam_groupdn cn=3DTestGroup,ou=3DGroups,dc=3Dnoam,dc=3Dcorp,dc=3Dfrk,dc= =3Dcom > > #pam_groupdn cn=3Ddublx09,ou=3DGroups,dc=3Dnoam,dc=3Dcorp,dc=3Dfrk,dc= =3Dcom > >=20 > > # Group member attribute > > #pam_member_attribute uniquemember > > pam_member_attribute memberUid > >=20 > > # Specify a minium or maximum UID number allowed > > #pam_min_uid 0 > > #pam_max_uid 0 > >=20 > > # Template login attribute, default template user > > # (can be overriden by value of former attribute > > # in user's entry) > > #pam_login_attribute userPrincipalName > > #pam_template_login_attribute uid > > #pam_template_login nobody > >=20 > > # HEADS UP: the pam_crypt, pam_nds_passwd, > > # and pam_ad_passwd options are no > > # longer supported. > >=20 > > # Do not hash the password at all; presume > > # the directory server will do it, if > > # necessary. This is the default. > > #pam_password clear > >=20 > > # Hash password locally; required for University of > > # Michigan LDAP server, and works with Netscape > > # Directory Server if you're using the UNIX-Crypt > > # hash mechanism and not using the NT Synchronization > > # service. > > #pam_password crypt > >=20 > > # Remove old password first, then update in > > # cleartext. Necessary for use with Novell > > # Directory Services (NDS) > > #pam_password nds > >=20 > > # Update Active Directory password, by > > # creating Unicode password and updating > > # unicodePwd attribute. > > #pam_password ad > >=20 > > # Use the OpenLDAP password change > > # extended operation to update the password. > > #pam_password exop > > #pam_password crypt > >=20 > > # Redirect users to a URL or somesuch on password > > # changes. > > #pam_password_prohibit_message Please visit http://internal to change > your password. > >=20 > > # RFC2307bis naming contexts > > # Syntax: > > # nss_base_XXX base?scope?filter > > # where scope is {base,one,sub} > > # and filter is a filter to be &'d with the > > # default filter. > > # You can omit the suffix eg: > > # nss_base_passwd ou=3DPeople, > > # to append the default base DN but this > > # may incur a small performance impact. > > #nss_base_passwd ou=3DPeople,dc=3Dnoam,dc=3Dcorp,dc=3Dfrk,dc=3D= com > > #nss_base_shadow ou=3DPeople,dc=3Dnoam,dc=3Dcorp,dc=3Dfrk,dc=3D= com > > #nss_base_passwd ou=3DPeople,dc=3Dexample,dc=3Dcom?one > > #nss_base_shadow ou=3DPeople,dc=3Dexample,dc=3Dcom?one > > #nss_base_group ou=3DGroup,dc=3Dexample,dc=3Dcom?one > > #nss_base_group ou=3DGroups,dc=3Dnoam,dc=3Dcorp,dc=3Dfrk,dc=3Dc= om > > #nss_base_hosts ou=3DHosts,dc=3Dexample,dc=3Dcom?one > > #nss_base_services ou=3DServices,dc=3Dexample,dc=3Dcom?one > > #nss_base_networks ou=3DNetworks,dc=3Dexample,dc=3Dcom?one > > #nss_base_protocols ou=3DProtocols,dc=3Dexample,dc=3Dcom?one > > #nss_base_rpc ou=3DRpc,dc=3Dexample,dc=3Dcom?one > > #nss_base_ethers ou=3DEthers,dc=3Dexample,dc=3Dcom?one > > #nss_base_netmasks ou=3DNetworks,dc=3Dexample,dc=3Dcom?ne > > #nss_base_bootparams ou=3DEthers,dc=3Dexample,dc=3Dcom?one > > #nss_base_aliases ou=3DAliases,dc=3Dexample,dc=3Dcom?one > > #nss_base_netgroup ou=3DNetgroup,dc=3Dexample,dc=3Dcom?one > >=20 > > # attribute/objectclass mapping > > # Syntax: > > #nss_map_attribute rfc2307attribute mapped_attribute > > #nss_map_objectclass rfc2307objectclass mapped_objectclass > >=20 > > # configure --enable-nds is no longer supported. > > # For NDS now do: > > #nss_map_attribute uniqueMember member > >=20 > > # configure --enable-mssfu-schema is no longer supported. > > # For MSSFU now do: > > #nss_map_objectclass posixAccount User > > #nss_map_attribute uid msSFUName > > #nss_map_attribute uniqueMember posixMember > > #nss_map_attribute userPassword msSFUPassword > > #nss_map_attribute homeDirectory msSFUHomeDirectory > > #nss_map_objectclass posixGroup Group > > #pam_login_attribute msSFUName > > #pam_filter objectclass=3DUser > > #pam_password ad > >=20 > > # configure --enable-authpassword is no longer supported > > # For authPassword support, now do: > > #nss_map_attribute userPassword authPassword > > #pam_password nds > >=20 > > # For IBM SecureWay support, do: > > #nss_map_objectclass posixAccount aixAccount > > #nss_map_attribute uid userName > > #nss_map_attribute gidNumber gid > > #nss_map_attribute uidNumber uid > > #nss_map_attribute userPassword passwordChar > > #nss_map_objectclass posixGroup aixAccessGroup > > #nss_map_attribute cn dublx09 > > #nss_map_attribute memberUid member > > #pam_login_attribute userName > > #pam_filter objectclass=3DaixAccount > > #pam_password clear > >=20 > > # Netscape SDK LDAPS > > #ssl on > >=20 > > # Netscape SDK SSL options > > #sslpath /etc/ssl/certs/cert7.db > >=20 > > # OpenLDAP SSL mechanism > > # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 > > #ssl start_tls > > #ssl on > >=20 > > # OpenLDAP SSL options > > # Require and verify server certificate (yes/no) > > # Default is "no" > > #tls_checkpeer yes > >=20 > > # CA certificates for server certificate verification > > # At least one of these are required if tls_checkpeer is "yes" > > #tls_cacertfile /etc/ssl/ca.cert > > #tls_cacertdir /etc/ssl/certs > >=20 > > # Seed the PRNG if /dev/urandom is not provided > > #tls_randfile /var/run/egd-pool > >=20 > > # SSL cipher suite > > # See man ciphers for syntax > > #tls_ciphers TLSv1 > >=20 > > # Client certificate and key > > # Use these, if your server requires client authentication. > > #tls_cert > > #tls_key > > ssl no > >=20 > > -----Original Message----- > > From: web...@li... > > [mailto:web...@li...]On Behalf Of Jamie > > Cameron > > Sent: Friday, February 17, 2006 9:02 AM > > To: web...@li... > > Subject: RE: [webmin-l] Webmin Servers, Broadcast/scan > >=20 > >=20 > > That file should already exist somewhere under /etc on your system. It > may be called something different too, like pam_ldap.conf > >=20 > > - Jamie > >=20 > > -----Original Message----- > >=20 > > From: "Khan, Mohammed [SMO]" <MK...@fr...> > > Subj: RE: [webmin-l] Webmin Servers, Broadcast/scan > > Date: Fri 17 Feb 2006 4:21 pm > > Size: 2K > > To: <web...@li...> > >=20 > > I don't have that file so shall I create these files, just fyi my server > linux AS2.1. If I do what shall I put in the file. > >=20 > > -----Original Message----- > > From: web...@li... > > [mailto:web...@li...]On Behalf Of Jamie > > Cameron > > Sent: Thursday, February 16, 2006 5:26 PM > > To: web...@li... > > Subject: RE: [webmin-l] Webmin Servers, Broadcast/scan > >=20 > >=20 > > Make sure that in your PAM LDAP config file (/etc/pam_ldap/auth_ldap.co= nf > > on my system) that the binddn and rootbinddn parameters are set to your > > LDAP administration user, and that the passwords in the bindpw parameter > and > > /etc/ldap.secret file are set to match. Otherwise PAM will connect to > LDAP > > as the user who is changing his password, which will generally not be > allowed. > >=20 > > - Jamie > >=20 > > On 17/Feb/2006 11:43 Khan, Mohammed [SMO] wrote .. > > > Jamie, now i am getting this error: > > > Feb 16 16:36:29 dublx09 l/usermin/changepass/changepass.cgi: pam_ldap: > > > error trying to bind as user "uid=3Dmkhan,ou=3DPeople, dc=3Dnoam,dc= =3Dcorp,dc=3Dfrk,dc=3Dcom" > > > (Invalid credentials) > > >=20 > > > -----Original Message----- > > > From: web...@li... > > > [mailto:web...@li...]On Behalf Of Jamie > > > Cameron > > > Sent: Friday, February 17, 2006 2:10 AM > > > To: web...@li... > > > Subject: RE: [webmin-l] Webmin Servers, Broadcast/scan > > >=20 > > >=20 > > > Hi, > > > That looks OK.. > > > Can LDAP users use the command-line passwd command to change their > passwords? > > >=20 > > > - Jamie > > >=20 > > > -----Original Message----- > > >=20 > > > From: "Khan, Mohammed [SMO]" <MK...@fr...> > > > Subj: RE: [webmin-l] Webmin Servers, Broadcast/scan > > > Date: Fri 17 Feb 2006 10:07 am > > > Size: 2K > > > To: <web...@li...> > > >=20 > > > Hi Jamie, > > > Here is my passwd file: Pls tell me what I am doing worng. > > > #%PAM-1.0 > > > password required pam_cracklib.so > > > password sufficient pam_ldap.so > > > password sufficient pam_unix.so > > > password required pam_deny.so > > >=20 > > >=20 > > >=20 > > > Thanks > > > Mohammed > > >=20 > > > -----Original Message----- > > > From: web...@li... > > > [mailto:web...@li...]On Behalf Of Jamie > > > Cameron > > > Sent: Thursday, February 16, 2006 2:46 PM > > > To: web...@li... > > > Subject: RE: [webmin-l] Webmin Servers, Broadcast/scan > > >=20 > > >=20 > > > Just make sure that /etc/pam.d/passwd is setup to talk to LDAP, and > that > > > Usermin's > > > Change Password module is setup to use PAM. > > >=20 > > > - Jamie > > >=20 > > > On 17/Feb/2006 09:42 Khan, Mohammed [SMO] wrote .. > > > > Hello Jamie,=20 > > > > Do you know how can I use usermin to change my ldap password. Plea= se > > > need > > > > your help. > > > >=20 > > > > Thanks > > > > Mohammed > > > >=20 >=20 >=20 >=20 >=20 > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log > files > for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D103432&bid=3D230486&dat= =3D121642 > - > Forwarded by the Webmin mailing list at web...@li....n= et > To remove yourself from this list, go to > http://lists.sourceforge.net/lists/listinfo/webadmin-list > Notice: All email and instant messages (including attachments) sent to > or from Franklin Templeton Investments (FTI) personnel may be retained, > monitored and/or reviewed by FTI and its agents, or authorized > law enforcement personnel, without further notice or consent. >=20 >=20 > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting langua= ge > that extends applications into web and mobile media. Attend the live webc= ast > and join the prime developer group breaking into this new coding territor= y! > http://sel.as-us.falkag.net/sel?cmd ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=3Dlnk&kid=3D110944&bid=3D241720&dat=3D1= 21642 - Forwarded by the Webmin mailing list at web...@li... To remove yourself from this list, go to http://lists.sourceforge.net/lists/listinfo/webadmin-list Notice: All email and instant messages (including attachments) sent to or from Franklin Templeton Investments (FTI) personnel may be retained, monitored and/or reviewed by FTI and its agents, or authorized law enforcement personnel, without further notice or consent. |
