[CentOS] LDAP and expired passwords

Sat Nov 1 13:30:41 UTC 2008

On Fri, 31 Oct 2008, Filipe Brandenburger wrote:

Hi Felipe; many thanks for your reply.

> # grep ^updateref /etc/openldap/slapd.conf

 	updateref ldaps://ldap1.cbe.cornell.edu

> # openssl x509 -text -in $(grep -i ^tlscertificatefile
> /etc/openldap/slapd.conf | awk '{print$2}') | grep Subject:

master (line continuations added):
         Subject: C=US, ST=New York, O=Cornell School of Chemical and \
 	Biomolecular Engineering/emailAddress=certs at cbe.cornell.edu, \
 	CN=ldap1.cbe.cornell.edu

slave:
         Subject: C=US, ST=New York, O=Cornell School of Chemical and \
 	Biomolecular Engineering/emailAddress=certs at cbe.cornell.edu, \
 	CN=asimov.cbe.cornell.edu

  > What is the issuer of each certificate?

Same on master and all slaves:
         Issuer: O=Cornell School of Chemical and Biomolecular Engineering,
 	L=Ithaca, ST=New York, C=US,
 	CN=cbe.cornell.edu/emailAddress=certs at cbe.cornell.edu

> Could you also send the /etc/ldap.conf of the client where you are
> trying to change the password?

 	host asimov.cbe.cornell.edu
 	referrals yes
 	base dc=cbe,dc=cornell,dc=edu
 	ldap_version 3
 	binddn cn=kelvin.cbe.cornell.edu,ou=Binddn,dc=cbe,dc=cornell,dc=edu
 	bindpw XXXXXXXXX
 	timelimit 120
 	bind_timelimit 5
 	bind_policy soft
 	idle_timelimit 3600
 	pam_password exop
 	nss_base_passwd         ou=People,dc=cbe,dc=cornell,dc=edu?one
 	nss_base_shadow         ou=People,dc=cbe,dc=cornell,dc=edu?one
 	nss_base_group          ou=Group,dc=cbe,dc=cornell,dc=edu?one
 	nss_base_hosts          ou=Hosts,dc=cbe,dc=cornell,dc=edu?one
 	nss_base_services       ou=Services,dc=cbe,dc=cornell,dc=edu?one
 	nss_base_networks       ou=Networks,dc=cbe,dc=cornell,dc=edu?one
 	nss_base_protocols      ou=Protocols,dc=cbe,dc=cornell,dc=edu?one
 	nss_base_rpc            ou=Rpc,dc=cbe,dc=cornell,dc=edu?one
 	nss_base_ethers         ou=Ethers,dc=cbe,dc=cornell,dc=edu?one
 	nss_base_netmasks       ou=Networks,dc=cbe,dc=cornell,dc=edu?ne
 	nss_base_bootparams     ou=Ethers,dc=cbe,dc=cornell,dc=edu?one
 	nss_base_aliases        ou=Aliases,dc=cbe,dc=cornell,dc=edu?one
 	nss_base_netgroup       ou=Netgroup,dc=cbe,dc=cornell,dc=edu?one
 	ssl start_tls
 	tls_checkpeer yes
 	tls_cacertdir /etc/openldap/cacerts
 	tls_ciphers TLSv1

-Steve