2012/1/4 Pat_Tune <[email protected]>:
> Bonjour,
Bonjour,
> Je mets en place un ldap avec la politique de mot de passe.
>
> Je suis Debian Linux ldap-test 2.6.35.10-guest-squeeze.
> J'utilise la version de ldap 2.4.23 et la derniere version phpldapadmin.
>
> J'ai mis en place mes users ainsi que ma politique de mot de passe.
>
> Voici mon fichier de conf de sldap.conf :
>
> include /etc/ldap/schema/core.schema
> include /etc/ldap/schema/cosine.schema
> include /etc/ldap/schema/nis.schema
> include /etc/ldap/schema/inetorgperson.schema
> include /etc/ldap/schema/radius.schema
> include /etc/ldap/schema/ppolicy.schema
>
> moduleload ppolicy.la
>
> # Where the pid file is put. The init.d script
> # will not stop the server if you change this.
> pidfile /var/run/slapd/slapd.pid
>
> # List of arguments that were passed to the server
> argsfile /var/run/slapd/slapd.args
>
> # Read slapd.conf(5) for possible values
> loglevel -1024
>
> # Where the dynamically loaded modules are stored
> modulepath /usr/lib/ldap
> moduleload back_hdb
>
> # The maximum number of entries that is returned for a search operation
> sizelimit 500
>
> # The tool-threads parameter sets the actual amount of cpu's that is used
> for indexing.
> tool-threads 1
>
> backend hdb
>
> database hdb
> suffix "dc=credit-agricole,dc=fr"
>
> overlay ppolicy
>
> # rootdn directive for specifying a superuser on the database.
> rootdn "cn=Manager,dc=credit-agricole,dc=fr"
> rootpw {SSHA}cYs2e9MdercOPDfgIUb3HTOfLM/BuzEP
>
> # Where the database file are physically stored for database #1
> directory "/var/lib/ldap"
>
> ppolicy_default "cn=dure,ou=politique-dure,dc=credit-agricole,dc=fr"
>
> ppolicy_use_lockout
>
> # Methode de hash pour stocker les password
> password-hash {SHA},{SSHA}
>
> # For the Debian package we use 2MB as default but be sure to update this
> value if you have plenty of RAM
> dbconfig set_cachesize 0 2097152 0
>
>
> # Number of objects that can be locked at the same time.
> dbconfig set_lk_max_objects 1500
> # Number of locks (both requested and granted)
> dbconfig set_lk_max_locks 1500
> # Number of lockers
> dbconfig set_lk_max_lockers 1500
>
> # Indexing options for database #1
>
> index objectClass,uid,uidNumber,gidNumber,memberUid,Class eq
> index cn,mail,surname,givenname
> eq,subinitial
> index entryCSN,entryUUID eq
>
>
> # Save the time that the entry gets modified, for database #1
> lastmod on
>
> # Checkpoint the BerkeleyDB database periodically in case of system failure
> and to speed slapd shutdown.
> checkpoint 512 30
>
> access to attrs=userPassword
> by dn="cn=Replicator,dc=credit-agricole,dc=fr" write
> by self write
> by anonymous auth
> by * none
>
> access to *
> by dn="cn=Replicator,dc=credit-agricole,dc=fr" write
> by self write
> by users read
> by * read
>
>
> Lorsque le user se connecte et veut changer son mot de passe avec la
> commande : password ou ldappasswd il a le message d'erreur :
> ldappasswd
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
> additional info: SASL(-13): user not found: no secret in database
Il faut explicitement demander une authentification non-SASL avec
l'option -x de ldappasswd.
> ou encore
> passwd
> Enter login(LDAP) password:
> passwd : Utilisateur inconnu par le module d'authentification sous-jacent
> Mot de passe non changé
>
> j'utilise pam.d, les fichiers common-auth, common-account, common-passwd,
> common-session
Tu n'as pas de logs dans /var/log/messages ou autre qui donnerait plus
d'infos ? Sinon il faut aussi regarder les logs d'OpenLDAP.
Clément.
_______________________________________________
ltb-users mailing list
[email protected]
http://lists.ltb-project.org/listinfo/ltb-users
