mingbo's tech tips

I installed and configured 389 directory server (aka redhat directory server), created user/group and configured follow the instruction at http://directory.fedoraproject.org/wiki/Howto:PAM on my Redhat 5.x Linux server I tried to reset user password, and then login with ssh, but no matter if the password is reset or not, there's no prompt for changing the expired password. I tried using command "login testUser", it will prompt me for new password. I checked /etc/pam.d/sshd, found out it missed one entry: auth       include      system-auth and system-auth will include ldap related settings: auth        sufficient    pam_ldap.so use_first_pass then the password change prompt pop out after login with ssh: WARNING: Your password has expired. You must change your password now and login again! Changing password for user testUser. Enter login(LDAP) password: So now I can force user to change their password after password reset or when password expired.

After install openldap on redhat, I can startup the process and access using ldapsearch but cannot access via ssl, I hit errors like below # ldapsearch -d 1 -x -D "cn=Manager,dc=example,dc=com" -w secret -H ldaps://192.168.16.88 cn ldap_create ldap_url_parse_ext(ldaps://192.168.16.88) ldap_bind ldap_simple_bind ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 192.168.16.88:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.16.88:636 ldap_connect_timeout: fd: 3 tm: -1 async: 0 TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS: can't connect. ldap_perror ldap_bind: Can't contact LDAP server (-1) did a test using openssl to verify if ssl works:  # openssl s_client -connect 192.168.16.88:636 CONNECTED(00000003) 10484:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c: