FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 10-31-2008, 07:32 PM
Steve Thompson
 
Default LDAP and expired passwords

CentOS 5.2 with OpenLDAP 2.3.27, nss_ldap_253.13, using TLS, i686 and
x86_64.


If a user with an expired password (shadowLastChange + shadowMax < current
day) logs in to a system where ldap.conf points first to a consumer-only
LDAP server, the password change operation (exop) proceeds and fails with:


LDAP password information update failed: Referral

If I comment out "ssl start_tls", the referral to the master is followed
and the password change operation succeeds. I've found references to
problems with earlier releases of pam_ldap when referrals were not
properly followed when using TLS, and these are supposed to be fixed;
apparently not in my case. Can anyone hit me with the clue stick?


Steve
----------------------------------------------------------------------------
Steve Thompson E-mail: smt AT vgersoft DOT com
Voyager Software LLC Web: http://www DOT vgersoft DOT com
39 Smugglers Path VSW Support: support AT vgersoft DOT com
Ithaca, NY 14850
"186,300 miles per second: it's not just a good idea, it's the law"
----------------------------------------------------------------------------
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-31-2008, 09:23 PM
Scott McClanahan
 
Default LDAP and expired passwords

On Fri, 2008-10-31 at 16:32 -0400, Steve Thompson wrote:
> CentOS 5.2 with OpenLDAP 2.3.27, nss_ldap_253.13, using TLS, i686 and
> x86_64.
>
> LDAP password information update failed: Referral
>
> If I comment out "ssl start_tls", the referral to the master is followed
> and the password change operation succeeds. I've found references to
> problems with earlier releases of pam_ldap when referrals were not
> properly followed when using TLS, and these are supposed to be fixed;
> apparently not in my case. Can anyone hit me with the clue stick?

Does the common name in the certificate or the x509 v3 extensions match
the hostname used in the referral in your slapd.conf? Is the
certificate issued by the ldap server you are being referred to signed
by a trusted CA? Following referrals using start_tls works just fine
for me.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 04:47 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org