Hello, for user
authentication we use NIS
on a Solaris System. Solaris 7/8/9 and Redhat 4/5 access this domain. Now I
want to migrate to fedora directoryserver.
*
What I have done:
* Installed
Redhat 5 x86_64
* Installed 389
from EPEL
* Imported NIS Data into 389 with LdapImport from Babel
* Authentication
over LDAP and LDAP SSL works. (POSIX Accounts)
* Installed
slapi-nis 0.24
* Configured
slapi-nis with nis-getting-started.txt
*
*
Working:
* Providing NIS MAPS
[root@xxxx ~]#
ypwhich -m
users
sux7292v.xxx.com
passwd.byuid
xxx.xx.com
passwd.byname
xxx.xx.com
group.byname
xxx.xx.com
group.bygid
xxx.xx.com
[root@xxx ~]#
*
*Get passwd and
groups
[root@xxx
slapd-xxx]# ypcat passwd | grep tst
tst:*:1346:21:Test:/user/tst:/bin/csh
*
*
My problem:
Authentification
is not working, login is not possible.
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
05-18-2011, 03:27 PM
Nalin Dahyabhai
NIS 389 Directory Server
On Wed, May 18, 2011 at 01:22:21PM +0200, Neuhold Christian (TSA) wrote:
> ypcat passwd old system:
>
> [root@xxx slapd-xxx]# ypcat passwd | grep tst
>
> tst:*:1346:21:Test:/user/tst:/bin/csh
>
> ypcat passwd new system:
>
> [root@xxx ~]# ypcat passwd | grep tst
>
> tst:xOf6bdfgZsCsA:1346:21:Test:/user/tst:/bin/csh
>
> Is it possible to provide the password hash with
> slapi-nis/389-directory server?
It should be. It's certainly the intention, at least.
By default, if an entry's userPassword attribute contains a
crypt-compatible hash (i.e., if it's marked as such by starting with
"{CRYPT}"), the value will be provided to clients as part of the entry
in the two passwd maps. Just to be clear, that's what you're after,
right?
Do you have the LDIF for a sample user?
HTH,
Nalin
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
05-18-2011, 08:28 PM
"Neuhold Christian (TSA)"
NIS 389 Directory Server
Hello, thanks for tip with "{CRYPT}". I made some testing and played with nis-value-format:
--> Definition from users in dse.ldif:
dn: nis-domain=amsint+nis-map=users,cn=NIS Server,cn=plugins,cn=config
objectClass: extensibleObject
objectClass: top
nis-domain: amsint
nis-map: users
nis-base: ou=People, dc=amsint, dc=com
nis-filter: (objectClass=posixAccount)
nis-key-format: %{uid}
nis-value-format: %{uid}:%{userPassword}:%{uidNumber}:%{gidNumber}:% {cn}:%{homeDirectory}:%{loginShell}
--> So I tried with this definition:
dn: nis-domain=amsint+nis-map=users2,cn=NIS Server,cn=plugins,cn=config
objectClass: extensibleObject
objectClass: top
nis-domain: amsint
nis-map: users2
nis-base: ou=People, dc=amsint, dc=com
nis-filter: (objectClass=posixAccount)
nis-key-format: %{uid}
nis-value-format: %{uid}:%regsub("%{userPassword}","^{crypt}(..*)"," %1","*")
:%{uidNumber}:%{gidNumber}:%{gecos:-%{cn:-Some Unnamed User},,,}:%{homeDirec
tory}:%{loginShell:-/bin/bash}
--> {crypt} vs. {CRYPT} but still:
[root@xxx ~]# ypcat users2 | grep tst
tst:*:1346:21:Test:/user/tst:/bin/csh
--> So I tried again with:
dn: nis-domain=amsint+nis-map=users3,cn=NIS Server,cn=plugins,cn=config
objectClass: extensibleObject
objectClass: top
nis-domain: amsint
nis-map: users3
nis-base: ou=People, dc=amsint, dc=com
nis-filter: (objectClass=posixAccount)
nis-key-format: %{uid}
nis-value-format: %{uid}:%regsub("%{userPassword}","crypt}(..*)","%1 ","*"):%{
uidNumber}:%{gidNumber}:%{gecos:-%{cn:-Some Unnamed User},,,}:%{homeDirector
y}:%{loginShell:-/bin/bash}
--> {crypt} vs. crypt} and now:
[root@xxx ~]# ypcat users3 | grep tst
tst:xOf6b2C9ZsCsA:1346:21:Test:/user/tst:/bin/csh
But why ?
Br, cnu80
-----Original Message-----
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Nalin Dahyabhai
Sent: Mittwoch, 18. Mai 2011 17:27
To: 389-users@lists.fedoraproject.org
Subject: Re: [389-users] NIS 389 Directory Server
On Wed, May 18, 2011 at 01:22:21PM +0200, Neuhold Christian (TSA) wrote:
> ypcat passwd old system:
>
> [root@xxx slapd-xxx]# ypcat passwd | grep tst
>
> tst:*:1346:21:Test:/user/tst:/bin/csh
>
> ypcat passwd new system:
>
> [root@xxx ~]# ypcat passwd | grep tst
>
> tst:xOf6bdfgZsCsA:1346:21:Test:/user/tst:/bin/csh
>
> Is it possible to provide the password hash with
> slapi-nis/389-directory server?
It should be. It's certainly the intention, at least.
By default, if an entry's userPassword attribute contains a
crypt-compatible hash (i.e., if it's marked as such by starting with
"{CRYPT}"), the value will be provided to clients as part of the entry
in the two passwd maps. Just to be clear, that's what you're after,
right?
Do you have the LDIF for a sample user?
HTH,
Nalin
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~
This message may contain confidential and/or privileged information intended
only for the addressee.
If you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose or take any action based
on this message or any information herein. If you have received this
message in error, please advise the sender immediately by reply e-mail and
delete this message. Any views expressed in this message are those of the
individual sender and may not necessarily reflect the
opinions of austriamicrosystems AG.
Diese E-Mail enthaelt moeglicherweise vertrauliche und/oder rechtlich
geschuetzte Informationen.
Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtuemlich
erhalten haben, informieren Sie bitte sofort den Absender und loeschen Sie
diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser
Mail ist nicht gestattet. Etwaige in dieser E-mail geaeusserte Ansichten und
Meinungen stammen vom Versender dieser Nachricht und muessen nicht
notwendigerweise mit den Meinungen und Ansichten von austriamicrosystems AG
uebereinstimmen.
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
05-18-2011, 09:25 PM
Nalin Dahyabhai
NIS 389 Directory Server
On Wed, May 18, 2011 at 10:28:49PM +0200, Neuhold Christian (TSA) wrote:
> Hello, thanks for tip with "{CRYPT}". I made some testing and played with nis-value-format:
>
> [root@xxx ~]# ypcat users | grep tst
> tst:{crypt}xOf6b2C9ZsCsA:1346:21:Test:/user/tst:/bin/csh
>
> --> Definition from users in dse.ldif:
> dn: nis-domain=amsint+nis-map=users,cn=NIS Server,cn=plugins,cn=config
> objectClass: extensibleObject
> objectClass: top
> nis-domain: amsint
> nis-map: users
> nis-base: ou=People, dc=amsint, dc=com
> nis-filter: (objectClass=posixAccount)
> nis-key-format: %{uid}
> nis-value-format: %{uid}:%{userPassword}:%{uidNumber}:%{gidNumber}:% {cn}:%{homeDirectory}:%{loginShell}
That's probably not a good idea -- if you have a plaintext user
password, it'll show up in this field as plaintext. If you have
passwords hashed using mechanisms other than crypt() (like {SSHA}) the
hashes will show up here even though your client machines won't know
what to do with them, but that's less of an issue.
> --> So I tried with this definition:
> dn: nis-domain=amsint+nis-map=users2,cn=NIS Server,cn=plugins,cn=config
> objectClass: extensibleObject
> objectClass: top
> nis-domain: amsint
> nis-map: users2
> nis-base: ou=People, dc=amsint, dc=com
> nis-filter: (objectClass=posixAccount)
> nis-key-format: %{uid}
> nis-value-format: %{uid}:%regsub("%{userPassword}","^{crypt}(..*)"," %1","*")
> :%{uidNumber}:%{gidNumber}:%{gecos:-%{cn:-Some Unnamed User},,,}:%{homeDirec
> tory}:%{loginShell:-/bin/bash}
>
> --> {crypt} vs. {CRYPT} but still:
> [root@xxx ~]# ypcat users2 | grep tst
> tst:*:1346:21:Test:/user/tst:/bin/csh
Quoting gets pretty complicated rather quickly here -- the way you've
written this expression, I think you'd want to start with "^{" to
include a literal "" in the regular expression. You can run
"nisserver-plugin-defs -m passwd.byname" to pull up the defaults.
> --> So I tried again with:
> dn: nis-domain=amsint+nis-map=users3,cn=NIS Server,cn=plugins,cn=config
> objectClass: extensibleObject
> objectClass: top
> nis-domain: amsint
> nis-map: users3
> nis-base: ou=People, dc=amsint, dc=com
> nis-filter: (objectClass=posixAccount)
> nis-key-format: %{uid}
> nis-value-format: %{uid}:%regsub("%{userPassword}","crypt}(..*)","%1 ","*"):%{
> uidNumber}:%{gidNumber}:%{gecos:-%{cn:-Some Unnamed User},,,}:%{homeDirector
> y}:%{loginShell:-/bin/bash}
>
> --> {crypt} vs. crypt} and now:
> [root@xxx ~]# ypcat users3 | grep tst
> tst:xOf6b2C9ZsCsA:1346:21:Test:/user/tst:/bin/csh
>
> But why ?
The "{CRYPT}" prefix is checked for in a case-sensitive manner, so if
the values you have actually start with "{crypt}", then that'd explain
why this nis-value-format causes the desired value to show up and the
default doesn't.
HTH,
Nalin
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
05-19-2011, 07:29 AM
"Neuhold Christian (TSA)"
NIS 389 Directory Server
Hello, thank you.
I changed passwd.byname and passwd.byuid map from
crypt}(..*)
to
^{crypt}(..*)
It works perfectly. Thanks for help!!!
Do you know if command passwd is possible? Because I get:
xxxxx tst# passwd
Changing password for user tst.
Changing password for tst
(current) UNIX password:
New UNIX password:
Retype new UNIX password:
passwd: Failed preliminary check by password service
Br, cnu80
-----Original Message-----
From: 389-users-bounces@lists.fedoraproject.org [mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Nalin Dahyabhai
Sent: Mittwoch, 18. Mai 2011 23:26
To: 389-users@lists.fedoraproject.org
Subject: Re: [389-users] NIS 389 Directory Server
On Wed, May 18, 2011 at 10:28:49PM +0200, Neuhold Christian (TSA) wrote:
> Hello, thanks for tip with "{CRYPT}". I made some testing and played with nis-value-format:
>
> [root@xxx ~]# ypcat users | grep tst
> tst:{crypt}xOf6b2C9ZsCsA:1346:21:Test:/user/tst:/bin/csh
>
> --> Definition from users in dse.ldif:
> dn: nis-domain=amsint+nis-map=users,cn=NIS Server,cn=plugins,cn=config
> objectClass: extensibleObject
> objectClass: top
> nis-domain: amsint
> nis-map: users
> nis-base: ou=People, dc=amsint, dc=com
> nis-filter: (objectClass=posixAccount)
> nis-key-format: %{uid}
> nis-value-format: %{uid}:%{userPassword}:%{uidNumber}:%{gidNumber}:% {cn}:%{homeDirectory}:%{loginShell}
That's probably not a good idea -- if you have a plaintext user
password, it'll show up in this field as plaintext. If you have
passwords hashed using mechanisms other than crypt() (like {SSHA}) the
hashes will show up here even though your client machines won't know
what to do with them, but that's less of an issue.
> --> So I tried with this definition:
> dn: nis-domain=amsint+nis-map=users2,cn=NIS Server,cn=plugins,cn=config
> objectClass: extensibleObject
> objectClass: top
> nis-domain: amsint
> nis-map: users2
> nis-base: ou=People, dc=amsint, dc=com
> nis-filter: (objectClass=posixAccount)
> nis-key-format: %{uid}
> nis-value-format: %{uid}:%regsub("%{userPassword}","^{crypt}(..*)"," %1","*")
> :%{uidNumber}:%{gidNumber}:%{gecos:-%{cn:-Some Unnamed User},,,}:%{homeDirec
> tory}:%{loginShell:-/bin/bash}
>
> --> {crypt} vs. {CRYPT} but still:
> [root@xxx ~]# ypcat users2 | grep tst
> tst:*:1346:21:Test:/user/tst:/bin/csh
Quoting gets pretty complicated rather quickly here -- the way you've
written this expression, I think you'd want to start with "^{" to
include a literal "" in the regular expression. You can run
"nisserver-plugin-defs -m passwd.byname" to pull up the defaults.
> --> So I tried again with:
> dn: nis-domain=amsint+nis-map=users3,cn=NIS Server,cn=plugins,cn=config
> objectClass: extensibleObject
> objectClass: top
> nis-domain: amsint
> nis-map: users3
> nis-base: ou=People, dc=amsint, dc=com
> nis-filter: (objectClass=posixAccount)
> nis-key-format: %{uid}
> nis-value-format: %{uid}:%regsub("%{userPassword}","crypt}(..*)","%1 ","*"):%{
> uidNumber}:%{gidNumber}:%{gecos:-%{cn:-Some Unnamed User},,,}:%{homeDirector
> y}:%{loginShell:-/bin/bash}
>
> --> {crypt} vs. crypt} and now:
> [root@xxx ~]# ypcat users3 | grep tst
> tst:xOf6b2C9ZsCsA:1346:21:Test:/user/tst:/bin/csh
>
> But why ?
The "{CRYPT}" prefix is checked for in a case-sensitive manner, so if
the values you have actually start with "{crypt}", then that'd explain
why this nis-value-format causes the desired value to show up and the
default doesn't.
HTH,
Nalin
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~-~^~
This message may contain confidential and/or privileged information intended
only for the addressee.
If you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose or take any action based
on this message or any information herein. If you have received this
message in error, please advise the sender immediately by reply e-mail and
delete this message. Any views expressed in this message are those of the
individual sender and may not necessarily reflect the
opinions of austriamicrosystems AG.
Diese E-Mail enthaelt moeglicherweise vertrauliche und/oder rechtlich
geschuetzte Informationen.
Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtuemlich
erhalten haben, informieren Sie bitte sofort den Absender und loeschen Sie
diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser
Mail ist nicht gestattet. Etwaige in dieser E-mail geaeusserte Ansichten und
Meinungen stammen vom Versender dieser Nachricht und muessen nicht
notwendigerweise mit den Meinungen und Ansichten von austriamicrosystems AG
uebereinstimmen.
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
05-19-2011, 02:09 PM
Nalin Dahyabhai
NIS 389 Directory Server
On Thu, May 19, 2011 at 09:29:15AM +0200, Neuhold Christian (TSA) wrote:
> Hello, thank you.
>
> I changed passwd.byname and passwd.byuid map from
>
> crypt}(..*)
> to
> ^{crypt}(..*)
>
> It works perfectly. Thanks for help!!!
>
> Do you know if command passwd is possible? Because I get:
> xxxxx tst# passwd
> Changing password for user tst.
> Changing password for tst
> (current) UNIX password:
> New UNIX password:
> Retype new UNIX password:
> passwd: Failed preliminary check by password service
Sorry, but the module doesn't implement the yppasswd protocol (which is
also used for ypchfn and ypchsh). You'll need to use the web gateway or
other native LDAP tools for that.
A change request in that protocol includes the current password in
unhashed, unencrypted form, so I don't expect to add support for it in
the future.
HTH,
Nalin
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
05-19-2011, 02:09 PM
Nalin Dahyabhai
NIS 389 Directory Server
On Thu, May 19, 2011 at 09:29:15AM +0200, Neuhold Christian (TSA) wrote:
> Hello, thank you.
>
> I changed passwd.byname and passwd.byuid map from
>
> crypt}(..*)
> to
> ^{crypt}(..*)
>
> It works perfectly. Thanks for help!!!
>
> Do you know if command passwd is possible? Because I get:
> xxxxx tst# passwd
> Changing password for user tst.
> Changing password for tst
> (current) UNIX password:
> New UNIX password:
> Retype new UNIX password:
> passwd: Failed preliminary check by password service
Sorry, but the module doesn't implement the yppasswd protocol (which is
also used for ypchfn and ypchsh). You'll need to use the web gateway or
other native LDAP tools for that.
A change request in that protocol includes the current password in
unhashed, unencrypted form, so I don't expect to add support for it in
the future.
HTH,
Nalin
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
NIS 389 Directory Server
