Re: [389-users] Synchronizing passwords
by Juan Asensio Sánchez
Hi
Although I think the best solution for this is that Samba only update the
Unix password, and the server generates dinamically the sambaLM and sambaNT
passwords using a plugin (perhaps, in the future, we will contribute with
this plugins, but not right now), I have solved the problem described in my
first message in this way, in the samba configuration:
* ldap passwd sync = No
* unix password sync = Yes
* passwd program = /usr/bin/perl -w
/opt/ldap/smbldap-tools/bin/smbldap-passwd -u %u
* passwd chat = "Changing UNIX password for*\nNew password*" %n\n "*Retype
new password*" %n\n "*Password changed*"
So when a user tries to modify his password, then Samba tries to call the
"passwd program", and only if the command returns succesfully (the "passwd
chat" is ok), then it tries to update samba passwords, so the LDAP password
policies are checked when calling the smbldap-passwd script, because it will
fail if the password is not strong enough and the server rejects it.
I had to modify the script smbldap-passwd, because when the password is
changed succesfully, it did'nt print anything, and "passwd chat" needs some
string to check that the change has been succesfully (i had added "password
changed" in the script after the ldap operation when it is succesfull).
Hope this can help somebody.
Regards.
El 21 de junio de 2010 15:46, Miguel Medalha <miguelmedalha(a)sapo.pt>escribió:
>
> Emmm, well, this makes samba update userPassword when changing the
>> password from Windows. But if i change the password from Linux, samba
>> passwords are not updated, because linux machines are autheticating directly
>> with LDAP, not with Samba (just userPassword).
>>
>
> In that case, the LDAP server must be capable of updating the Samba
> passwords when the LDAP password is changed, which takes us back to your
> original question.
>
> Anyway, the smb.conf parameter to use for that would be:
>
> "ldap passwd sync = Only"
>
> (Only = Only update the LDAP password and let the LDAP server do the rest.)
>
>
> If the 389 server doesn't do the required operation, I suppose that by
> using the regular LDAP tools (ldapmodify, ldappasswd, etc.) combined with a
> shell script it will be easy to modify all passwords with a single command.
>
>
13 years, 10 months
Sabayon/Gentoo distribution of 389org
by Roberto Polli
Hi all,
our company decided to sponsor a Sabayon/Gentoo distribution of 389org.
It seems that there are some issues in admin-server, which have been deeply
investigated by the Sabayon maintainer.
Those issues could be related to the latest versions of the libraries used in
Gentoo; so the question:
- did some of you test 389org on Fedora Linux or RHEL6?
Peace,
R.
--
Roberto Polli
Babel S.r.l. - http://www.babel.it
Tel. +39.06.91801075 - fax +39.06.91612446
Tel. cel +39.340.6522736
P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma)
"Il seguente messaggio contiene informazioni riservate. Qualora questo
messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene
notizia a mezzo e-mail. Vi sollecitiamo altresì a distruggere il messaggio
erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto
della legge in materia di protezione dei dati personali."
13 years, 11 months
Limiting access to specific hosts.
by Fairchild, Anthony
Hello,
I have gotten 389 directory up and running and am beginning to add
users, but would like to know how to restrict a user to only logging in
to a specific host or a group of hosts. Could anybody point me to some
documentation on this? I don't seem to be having much luck finding it
through Google.
--
Anthony
13 years, 11 months
Password History in a Replicated Environment
by Gerrard Geldenhuis
Hi
The documentation clearly states that password modification history is not replicated including account lockout counters. To me that seems a bit pointless to have if your servers are authenticating against a cluster of 4 machines. There is no guarantee that next time when you change your password that the history will be captured by the same server.
I am sure I am not the only person that has had to deal with this dilemma and am curious about other possible solutions to this problem. The problem being to keep a shared used password between multi masters. I would really appreciate any thoughts or shared expierences in dealing with the limitations of the password policy in a multimaster environment.
Regards
________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.
________________________________________________________________________
13 years, 11 months
enabling posixGroup for a group (error : attribute "uidNumber" not allowed)
by Daniel Maher
Hello,
I am trying to get system groups working on 389-ds via the addition of
"posixGroup" as a value for a given LDAP group.
Numerous posts in the archives, as well as on other forums, seem to
indicate that it should be a relatively straightforward affair. Here's
what i've tried via the console :
1. Creation of OU "systemgroups"
2. Creation of group "admin"
3. In advanced properties of group "admin", Object Class -> Add value ->
posixGroup
4. OK
However, this error appears in the log :
[02/Jul/2010:09:43:03 +0000] - Entry
"cn=admin,ou=systemgroups,dc=domain,dc=net" -- attribute "uidNumber" not
allowed
I am sure i have just missed something small, like the activation of a
plugin, or the integration of a particular schema. I can create users
with associated posix data (uid, gid, homedir, etc...), so at least that
works. :)
Any help, or a push in the correct direction, would be greatly
appreciated. Thank you, all.
--
Daniel Maher <dma + 389users AT witbe DOT net>
13 years, 11 months
Computer account samba 389
by Roland de Lepper
Hi tehre,
I've just setup, for test, a Fedora 389 directory with Samba on Centos 5.4
x86_64. All is working fine. I can do a "smbpasswd -a user" and see the
newly created user in the 389 directory.
I've setup DNS, with is also running fine.
Now I'm trying to get a Windows & machine be part of the domain. I've made
the necessary change in the registry on Windows, shutdown the firewall on
both machine and selinux on the linux machine.
When I specify the administrator user and password to be able to make
windows 7 part of the domain, I get a weird Windows message saying: "A
device attached to the system is not functioning". A wierd message, but it
appears the computeraccount cannot be automatically be updated to 389.
When Ik check the log on my linux machine is says:
ldapsam_add_sam_account: failed to modify/add user with uid LDAPCLIENT$
(dn = uid=LDAPCLIENT$,ou=Computers,dc=example,dc=org)
The machine-account is created with the useradd command on Linux.
How can the machine-account be updated into 389 so my Windows & machine
can be part of the domain?
Thanks in advanced for any reply.
13 years, 11 months
Re: [389-users] 389DS ignoring nsslapd-sizelimit
by Juan Asensio Sánchez
Hi
Just one more question. What is the meaning of having nsslapd-sizelimit in
"cn=default instance config,cn=chaining database,cn=plugins,cn=config"? Is
there any search limit in each database?
Regards.
2010/7/2 Noriko Hosoi <nhosoi(a)redhat.com>
> Thank you for your update. Don't be sorry. I made the same mistake
> before... ;)
>
>
> On 07/02/2010 01:44 AM, Juan Asensio Sánchez wrote:
>
> Hello
>
> Ehmmmmmm, well, you are right. nsslapd-sizelimit is in dn "cn=default
> instance config,cn=chaining database,cn=plugins,cn=config", not in
> "cn=config" as it should. I am not sure if the change to was done after or
> before upgrade from 1.1.3 to 1.2.5, so i don't know if the setting was lost
> or not. I will verify this when we will upgrade a new server.
>
> Regards, and sorry :).
>
>
> 2010/7/1 Noriko Hosoi <nhosoi(a)redhat.com>
>
>> Which configuration entry does your nsslapd-sizelimit belong to?
>> nsslapd-sizelimit: 50000
>>
>> Is it in "dn: cn=config"?
>>
>> http://www.redhat.com/docs/manuals/dir-server/8.1/cli/Configuration_Comma...
>>
>> Thanks,
>> --noriko
>>
>>
>> On 07/01/2010 06:00 AM, Juan Asensio Sánchez wrote:
>>
>> Hi
>>
>> We have just realized that our servers are ignoring the parameter
>> nsslapd-sizelimit. If we do a search of the entire directory (about 50000
>> entries), we have a size limit exceeded:
>>
>> # ldapsearch -H ldaps://localhost -x -LLL -b "dc=XXXXX,dc=es" -D
>> "uid=XXXXX,ou=XXXXX,o=XXXX,dc=XXXX,dc=es" -W
>> [....]
>> Size limit exceeded (4)
>>
>>
>> These are the messages in the access log:
>>
>> [01/Jul/2010:14:53:35 +0200] conn=376 fd=78 slot=78 SSL connection from
>> 127.0.0.1 to 127.0.0.1
>> [01/Jul/2010:14:53:35 +0200] conn=376 SSL 256-bit AES
>> [01/Jul/2010:14:53:35 +0200] conn=376 op=0 BIND
>> dn="uid=XXXX,ou=People,o=XXXX,dc=XXXX,dc=es" method=128 version=3
>> [01/Jul/2010:14:53:35 +0200] conn=376 op=0 RESULT err=0 tag=97 nentries=0
>> etime=0 dn="uid=XXXX,ou=XXXX,o=XXXX,dc=XXXX,dc=es"
>> [01/Jul/2010:14:53:35 +0200] conn=376 op=1 SRCH base="dc=XXXXX,dc=es"
>> scope=2 filter="(objectClass=*)" attrs=ALL
>> [01/Jul/2010:14:53:38 +0200] conn=376 op=1 RESULT err=4 tag=101
>> nentries=2000 etime=3
>> [01/Jul/2010:14:53:42 +0200] conn=376 op=2 UNBIND
>> [01/Jul/2010:14:53:42 +0200] conn=376 op=2 fd=78 closed - U1
>>
>>
>> Although we have configured a size limit of 50000:
>>
>> # egrep
>> "(^nsslapd-sizelimit:|^nsslapd-idlistscanlimit:|^nsslapd-lookthroughlimit:)"
>> /etc/dirsrv/slapd-pruebas/dse.ldif
>> nsslapd-sizelimit: 50000
>> nsslapd-lookthroughlimit: 50000
>> nsslapd-idlistscanlimit: 50000
>>
>> Any idea about what is happening?
>>
>> Regards.
>>
>>
>> --
>> 389 users mailing list
>> 389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>>
>>
>> --
>> 389 users mailing list
>> 389-users(a)lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>
>
> --
> 389 users mailing list389-users@lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
13 years, 11 months
389DS ignoring nsslapd-sizelimit
by Juan Asensio Sánchez
Hi
We have just realized that our servers are ignoring the parameter
nsslapd-sizelimit. If we do a search of the entire directory (about 50000
entries), we have a size limit exceeded:
# ldapsearch -H ldaps://localhost -x -LLL -b "dc=XXXXX,dc=es" -D
"uid=XXXXX,ou=XXXXX,o=XXXX,dc=XXXX,dc=es" -W
[....]
Size limit exceeded (4)
These are the messages in the access log:
[01/Jul/2010:14:53:35 +0200] conn=376 fd=78 slot=78 SSL connection from
127.0.0.1 to 127.0.0.1
[01/Jul/2010:14:53:35 +0200] conn=376 SSL 256-bit AES
[01/Jul/2010:14:53:35 +0200] conn=376 op=0 BIND
dn="uid=XXXX,ou=People,o=XXXX,dc=XXXX,dc=es" method=128 version=3
[01/Jul/2010:14:53:35 +0200] conn=376 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn="uid=XXXX,ou=XXXX,o=XXXX,dc=XXXX,dc=es"
[01/Jul/2010:14:53:35 +0200] conn=376 op=1 SRCH base="dc=XXXXX,dc=es"
scope=2 filter="(objectClass=*)" attrs=ALL
[01/Jul/2010:14:53:38 +0200] conn=376 op=1 RESULT err=4 tag=101
nentries=2000 etime=3
[01/Jul/2010:14:53:42 +0200] conn=376 op=2 UNBIND
[01/Jul/2010:14:53:42 +0200] conn=376 op=2 fd=78 closed - U1
Although we have configured a size limit of 50000:
# egrep
"(^nsslapd-sizelimit:|^nsslapd-idlistscanlimit:|^nsslapd-lookthroughlimit:)"
/etc/dirsrv/slapd-pruebas/dse.ldif
nsslapd-sizelimit: 50000
nsslapd-lookthroughlimit: 50000
nsslapd-idlistscanlimit: 50000
Any idea about what is happening?
Regards.
13 years, 11 months