Changing eDirectory Password From Linux Machine - linux

I have Configured LDAP Authentication for my Linux Machines. The LDAP Server is Novell eDirectory. The LDAP Users are able to login into the machine. But when i am issuing passwd command it is asking LDAP password then asking to give me new password. After that i am getting a message saying that all the authentication tokens are successfully updated.
But when i try to login with the new password into the machine it is not allowing but when i tried with the old password it is allowing me to loign. Even the eDirectory password also didn't got changed?
What's wrong i am doing?
Thanks and regards,
Sunny.

Do you have access to the eDirectory server you are pointing at? If so, go to iMonitor (https://serverIP:8030/nds/trace) and login, and then in Trace settings (box in the bar with tick marks, and lightning bolts) and clear all, and then enable LDAP tracing.
Refresh and go to Trace Live, then do the password change and look at the trace event from the LDAP server perspective. Likely something will be revealed there.

Related

Hackers spamming my mail server

I've had a postfix(SASL) mail server running well for a long time with no problems. However recently I've installed vsftp to allow users to login and download files.
I created a linux user with a generic username/password which I thought didn't matter as I had disabled ssh login and wasn't too concerned if anyone had logged into the ftp account (read-only access). However what I hadn't realised was that several spammers have brute forced entry (logging into SASL) and sending emails.
Is there any way to disable the linux user for mail but keep the credentials the same for vsftp?
Try
usermod -s /bin/false username
I ended up removing the linux user and adding the user as a user for vsftp. This then still allowed the username/password to work and disabled the intruder from using the server as a spam server. Issue resolved :).

using CCtray with Jenkins, while security enabled (using HTTPS)

I configured my Jenkins server to only use HTTPS and enabled security.
As well I don't like anybody who's not logged on to see the Dashboard (even if it would be empty). Here for I disabled the 'read' access for 'anonymous'.
So far all this works exactly to my likings :)
But wanting to add some build notification functionality to remote clients by e.g. using something like 'CCtray' I run into trouble. The access to the https://<SERVER>/cc.xml now only works for logged in users.
Where I would have liked to be able to get those notifications for 'anonymous'.
Probably combining these wishes is kind of contradictory - I suppose?
Maybe someone has a better idea which could match my likings?
Possibly any other notification tool which can be used???
For the Mercurial hook triggering the sw-builds I can use a construction like
curl --cacert <CERTIFICATE> https://<USER>:<PASSWORD>#<SERVER>/job/MyPROJECT/build?delay=0sec
But a similar approach for the URL in CCtray doesn't seem to work.
I've just started using the cctray Jenkins transport extension. Early days, but it seems to work as advertised and is connecting to our secure server perfectly happily.
Currently, the only significant limitation seems to be that if your password expires there's no way to re-enter your credentials.
For Jenkins servers without anonymous access, you can use Catlight build notification tool. You can provide access token or username/password to authenticate to your server.
I you have a self-signed ssl certificate, make sure that you add it to trusted by OS. That way, most applications will recognize it and connect to server without warnings.
Adding to #MrBlueSky 's answer, you can avoid the password expiration hassle; simply use a Jenkins-issued API Token instead of your password.
Log into Jenkins
Click your username (in the upper right corner)
Click Configure (in the left navbar)
Click Show API Token
Use this token in place of your password when setting up the Jenkins Transport settings

Different password for SSH and Session(KDE, Gnome, etc.)

I'm use an Debian based OS here on my work an i've configured the service for test routines of ERP app...
This service (Tomcat+Java service) it's consumed via HTTP on intranet correctly...but the test leader sometimes need chance the database used by service application and uses SSH to access my machine to change database on config file and restart the service...eventually this person change some service or O.S. config throwing problems to me (on my O.S and others things..).
What i want know is if can i change my password only for SSH service (doesn't change to my KDE/Gnome session), just because the company's policy requires everyone to have a default password on stations...
Remebering that i'm a manager of config, maintenance and others jobs of service to test team...and change database solicitations can made to me.
A simple example:
KDE login if user 'carlos' and password '123456'
SSH login if user 'carlos' and password '4nyJokeHere'
That it's possible ?
Thanks in advance.
Possible? Maybe. You'd probably have to fiddle with pam.d to get SSH authenticating via a different mechanism to KDE etc.
Coming from a different angle, I may be missing something, can you not create a second user for the SSH process, keeping your main user for KDE etc cleanly separate?
I'd really strongly recommend trying to "split" a user into multiple purposes/security groups with differing passwords for each!
You can use authorized_keys to restrict the SSH commands available, and/or sudo...
Update: Some expansion on the subject as requested by the OP
You can limit commands available via SSH by using ~/.ssh/authorised_keys file - see O'Reilly for a good explanation.
I'm was solved this case applying a single rule here. On SSH service i'm was locked access of my user 'carlos --> sudoers' and enable access only for a user called 'padrao' (padrao translated to english is 'default').
This user 'padrao' doesn't have sudoers permissions. If i needed access with SSH my machine i'm do:
ssh padrao#my.intranet.machine
password: ***
$ su carlos
password: ***
This is not the best way to solve, but solved my problem here.
Thanks.

how to ask for username and password on lan computer when a user opens a web browser first time

I have made database of 10 users and password. Now I want to prompt a dialog box on lan computer in which they have to enter username and password given by me whenever they open browser every time for accessing internet.
How can I do so?
I have also installed a squid proxy.
Maybe this will help: http://wiki.squid-cache.org/ConfigExamples/Authenticate/Mysql (assuming you have a MySQL database).
You can use just basic username and password authentication. Since you are only talking about 10 users.
https://nodevine.com/library/messing-with-http-headers-in-squid-2-6-and-3-0-for-high-anonymity-in-centos-and-ubuntu

Windows Authentication prompt username field autopopulates and cannot be changed

I have a website that uses Windows Authentication to authenticate its users. Normally when a user accesses the site on an IE browser the username field is populated with the computers domain name and user name. This is usually incorrect and the user enters the correct username and their password and can access the site.
I have a user now on Windows 7 IE8(I beleive) and the username field in the credential prompt is being autopopulated with domain\userName except the username is incorrect and we cannot change it. The user is unable to log into the site because of this. Has anyone experienced this before? Does anyone know why the username field cannot be changed? Solutions I have tried:
Clearing cache and stored form data/passwords etc
Site is in users trusted sites. So I had the user change the settings to "Prompt for username and password" but the prompt still comes up with the username autopopulated and does not let her change it.
I have never run into this before. Our users do not have any issue logging in, its just this one corporate location that was just set up and is running Windows 7(Rest of the company is under Windows XP) If it matters this is a sharepoint 2010 web application
Any help on this would be greatly appreciated as I have an entire group of users with this problem. Im willing to bet this would not be an issue in a different browser but they need to be able to use IE for application compatibility reasons.
Thanks!
I was able to fix it by doing the following:
Go to Start, Control Panel, User Accounts, then click Manage Your Credentials, and look for the credentials to your site, if they are there Modify and “Remove from vault” ( I suppose you could Edit them to the correct credentials but I just removed it and it did not prompt her).
She had the wrong credentials stored there. Im not sure why clearing the cache and passwords from the internet options didnt work but this did.
I had this problem with a user where the domain stored with the credentials could not be changed. This is the only item online I could find even close to my problem. The user saw "user-pcdomain\localusername" auto entered in the form. He tried to correct it with "workdomain\workusername" but got a message saying "Please enter a user name and password". Eventually we realized that his system was sending "user-pcdomain\workdomain" as his username. I've never seen a login misfire like that.
In his case he did not have his credentials stored but needed to add credentials - "workdomain\workusername" - for all of the domains he needed to access.
The point is - to expand on the answer - that IE or Windows 7 or both will store credentials incorrectly on rare occasions and the solution is be creative about adding\editing\remove credentials with Manage Your Credentials

Resources