[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#4085) ldapasswd - password hash failed
Full_Name: Andrew N Parker
Version: 2.2.26 & 2.2.29
OS: RedHat EL 3.2
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (194.60.106.5)
I have been trying to update userPassword using both ldamodify and ldappaswd.
Using ldapasswd I receive response:
/usr/local/openldap2226/bin/ldappasswd -x -D cn=root,dc=eu,dc=unilever,dc=com -w
XXXXXX -s passwd uid=aparke03,ou=people,dc=eu,dc=unilever,dc=com
Result: Internal (implementation specific) error (80)
Additional info: password hash failed
The server debug messages are:
connection_get(9): got connid=7
connection_read(9): checking for input on id=7
ber_get_next
ldap_read: want=8, got=8
0000: 30 32 02 01 01 60 2d 02 02...`-.
ldap_read: want=44, got=44
0000: 01 03 04 20 63 6e 3d 72 6f 6f 74 2c 64 63 3d 65 ... cn=root,dc=e
0010: 75 2c 64 63 3d 75 6e 69 6c 65 76 65 72 2c 64 63 u,dc=unilever,dc
0020: 3d 63 6f 6d 80 06 73 65 63 72 65 74 =com..XXXXXX
ber_get_next: tag 0x30 len 50 contents:
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
ber_get_next on fd 9 failed errno=11 (Resource temporarily unavailable)
do_bind
ber_scanf fmt ({imt) ber:
ber_scanf fmt (m}) ber:
>>> dnPrettyNormal: <cn=root,dc=eu,dc=unilever,dc=com>
=> ldap_bv2dn(cn=root,dc=eu,dc=unilever,dc=com,0)
ldap_err2string
<= ldap_bv2dn(cn=root,dc=eu,dc=unilever,dc=com)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(cn=root,dc=eu,dc=unilever,dc=com)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(cn=root,dc=eu,dc=unilever,dc=com)=0 Success
<<< dnPrettyNormal: <cn=root,dc=eu,dc=unilever,dc=com>,
<cn=root,dc=eu,dc=unilever,dc=com>
do_bind: version=3 dn="cn=root,dc=eu,dc=unilever,dc=com" method=128
do_bind: v3 bind: "cn=root,dc=eu,dc=unilever,dc=com" to
"cn=root,dc=eu,dc=unilever,dc=com"
send_ldap_result: conn=7 op=0 p=3
send_ldap_response: msgid=1 tag=97 err=0
ber_flush: 14 bytes to sd 9
0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 61 07 0a 01 00 04 00 04 00 0....a........
connection_get(9): got connid=7
connection_read(9): checking for input on id=7
ber_get_next
ldap_read: want=8, got=8
0000: 30 5b 02 01 02 77 56 80 0[...wV.
ldap_read: want=85, got=85
0000: 17 31 2e 33 2e 36 2e 31 2e 34 2e 31 2e 34 32 30 .1.3.6.1.4.1.420
0010: 33 2e 31 2e 31 31 2e 31 81 3b 30 39 80 2f 75 69 3.1.11.1.;09./ui
0020: 64 3d 61 70 61 72 6b 65 30 33 2c 6f 75 3d 70 65 d=aparke03,ou=pe
0030: 6f 70 6c 65 2c 64 63 3d 65 75 2c 64 63 3d 75 6e ople,dc=eu,dc=un
0040: 69 6c 65 76 65 72 2c 64 63 3d 63 6f 6d 82 06 70 ilever,dc=com..p
0050: 61 73 73 77 64 asswd
ber_get_next: tag 0x30 len 91 contents:
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
ber_get_next on fd 9 failed errno=11 (Resource temporarily unavailable)
do_extended
ber_scanf fmt ({m) ber:
ber_scanf fmt (m) ber:
ber_scanf fmt ({) ber:
ber_scanf fmt (m) ber:
ber_scanf fmt (m) ber:
>>> dnNormalize: <uid=aparke03,ou=people,dc=eu,dc=unilever,dc=com>
=> ldap_bv2dn(uid=aparke03,ou=people,dc=eu,dc=unilever,dc=com,0)
ldap_err2string
<= ldap_bv2dn(uid=aparke03,ou=people,dc=eu,dc=unilever,dc=com)=0 Success
=> ldap_dn2bv(272)
ldap_err2string
<= ldap_dn2bv(uid=aparke03,ou=people,dc=eu,dc=unilever,dc=com)=0 Success
<<< dnNormalize: <uid=aparke03,ou=people,dc=eu,dc=unilever,dc=com>
send_ldap_extended: err=80 oid= len=0
send_ldap_response: msgid=2 tag=120 err=80
ber_flush: 34 bytes to sd 9
0000: 30 20 02 01 02 78 1b 0a 01 50 04 00 04 14 70 61 0 ...x...P....pa
0010: 73 73 77 6f 72 64 20 68 61 73 68 20 66 61 69 6c ssword hash fail
0020: 65 64 ed
ldap_write: want=34, written=34
0000: 30 20 02 01 02 78 1b 0a 01 50 04 00 04 14 70 61 0 ...x...P....pa
0010: 73 73 77 6f 72 64 20 68 61 73 68 20 66 61 69 6c ssword hash fail
0020: 65 64 ed
connection_get(9): got connid=7
connection_read(9): checking for input on id=7
ber_get_next
ldap_read: want=8, got=7
0000: 30 05 02 01 03 42 00 0....B.
ber_get_next: tag 0x30 len 5 contents:
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
ber_get_next on fd 9 failed errno=11 (Resource temporarily unavailable)
connection_get(9): got connid=7
connection_read(9): checking for input on id=7
ber_get_next
ldap_read: want=8, got=0
ber_get_next on fd 9 failed errno=0 (Success)
connection_read(9): input error=-2 id=7, closing.
connection_closing: readying conn=7 sd=9 for close
connection_close: deferring conn=7 sd=9
do_unbind
connection_resched: attempting closing conn=7 sd=9
connection_close: conn=7 sd=9
I have tried prefixing the -s <passwd_string> with {SSHA}, {SHA}, etc but
receive same response. slapd will not start with an invalid value in
password-hash. Also note that the test 10 for ldapppaswd passes the test!
In addition, using ldapadd to modify the userPassword attribute from an LDIF
format file results in an unusable "encrypted" string.
The configuration file is:
replogfile /var/slapd.replog
ucdata-path /data # Path for Unicode data files.
# To enable the slapd daemon to run chroot'd, the schema files from the
# installation tree should be copied into the <chroot directory>/schema
# area and be made readable to the -u user on the slapd start line command.
include /schema/core.schema
include /schema/corba.schema
include /schema/cosine.schema
include /schema/dyngroup.schema
include /schema/inetorgperson.schema
include /schema/java.schema
include /schema/misc.schema
include /schema/nis.schema
include /schema/openldap.schema
# Copy these files from the /etc/openldap/redhat/schema area.
#include schema/redhat/autofs.schema
#include schema/redhat/kerberosobject.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
#referral ldap://root.openldap.org
# The process id file and argsfile are found relative to the chroot directory
# (-r <chroot-dir> used to start the daemon. See slapd file.
# Log connection management, ACL, statistics for connection, stats for
# results to clients.
loglevel 904
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
# SASL options for security management.
#sasl-host cgtsapp995.eu.unilever.com
#sasl-realm cgtsapp995.eu.unilever.com
#sasl-secproperties noplain,noanonymous,minssf=56
# Create a replication log in /var/lib/ldap for use by slurpd.
# replogfile /var/lib/ldap/master-slapd.replog
# Load dynamic backend modules:
# modulepath /usr/sbin/openldap
# modulepath /usr/local/bdb4321/lib
# moduleload libdb_cxx-4.3.la
#
#moduleload libdb-4.3.la
#moduleload back_ldap.la
#moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
modulepath /usr/local/openldap2229/libexec/openldap
#moduleload back_hdb.la
# The following lines define a Digital Certificate (X.509) to be used
# by Transport Level Security feasture and Start/TLS. These certificates
# have been created by the implementation of a self signed Cetificate
#TLSCipherSuite HIGH:MEDIUM
TLSCipherSuite TLSv1:HIGH:SSLv3
TLSCACertificateFile /ssl/certs/cacert.pem
TLSCertificateFile /ssl/certs/ldap.cert.pem
TLSCertificateKeyFile /ssl/certs/ldap.key.pem
TLSVerifyClient try # If client provides certificate, it must be valid.
# Now make the StartTLS system available.
#ssl off
#ssl start_tls
#security tls=128
# Used salted secure hash algorith to store userPassword. This is the default.
#password-hash {md5}
# Access rule: accounts (this DIT for Unilever staff in Europe).
# user can change own password if authenticated
# all members of Consumer Administration team can change password.
# all members of UNIX Support can change password.
#access to dn.children="ou=people,dc=eu,dc=unilever,dc=com"
access to dn.children="ou=people,dc=eu,dc=unilever,dc=com"
attrs=userPassword
by self write
# by * auth
# by dn.children="ou=itcat,dc=eu,dc=unilever,dc=com" write continue
# by dn.children="ou=itunix,dc=eu,dc=unilever,dc=com" write
#
## Access rule: itcat - Consumer Administration team for Europe.
## User can change own password if authenticated.
## All UNIX Support team nac change CAT passwords.
#access to dn.children="ou=itcat,dc=eu,dc=unilever,dc=com"
# attrs=userPassword
# by self write
# by * auth
# by dn.children="ou=itunix,dc=eu,dc=unilever,dc=com" write
#
## Access rule: it - this DIT for IT members not in itcat, not in itunix.
## User can change password if authenticated.
## All Consumer Administration team can change password.
## All UNIX Support can change passsword.
## All Consumer Administration team can change password.
## All UNIX Support can change passsword.
#access to dn.children="ou=it,dc=eu,dc=unilever,dc=com"
# attrs=userPassword
# by self write
# by * auth
# by dn.children="ou=itcat,dc=eu,dc=unilever,dc=com" write continue
# by dn.children=ou=itunix,dc=eu,dc=unilever,dc=com" write
#
## Access rule: it - this DIT for IT admin - SAP/TWS/Backup/DBA/ etc
## User can change password if authenticated.
## All Consumer Administration team can change password.
## All UNIX Support can change passsword.
#access to dn.children="ou=it,dc=eu,dc=unilever,dc=com"
# attrs=userPassword
# by self write
# by * auth
# by dn.children="ou=itcat,dc=eu,dc=unilever,dc=com" write continue
# by dn.children=ou=itunix,dc=eu,dc=unilever,dc=com" write
#
## Access rule: itunix this DIT for UNIX Support in Europe.
## Members can change their passwords and each others.
#access to dn.children="ou=itunix,dc=eu,dc=unilever,dc=com"
# attrs=userPassword
## by self write
by * auth
# by dn.children="ou=itunix,dc=eu,dc=unlever,dc=com" write
#
## Access rule: rootdn
## Members can change their passwords and each others.
#access to dn.children="ou=root,dc=eu,dc=unilever,dc=com"
# attrs=userPassword
# by self write
# by * auth
# by dn.children="ou=root,dc=eu,dc=unlever,dc=com" write
#
## all other details viewable only.
##access to *
## by * read
#
##---------------------------------------------------------------------
database bdb
directory /bdb
suffix "dc=eu,dc=unilever,dc=com"
rootdn "cn=root,dc=eu,dc=unilever,dc=com"
#-- The slapd.conf file must be readble only bu ldap account and no one else.
# password= secret
#rootpw {crypt}ijFYNcSNctBYg
rootpw {SSHA}EL+f6HHGKsN0LJAj3xxoNzNMO+uzUwYD
# Define provider details for replication.
#overlay syncprov
#syncprov-checkpoint 10 5
#syncprov-sessionlog 1000
sessionlog SIDSID LIMLIM # These values substitued by slapd
# start up command.
index objectClass,entryCSN,entryUUID eq
# Create the required indexes.
#index objectClass,uid,uidNumber,gidNumber,memberUid eq
#index cn,mail,surname,givenname eq,subinitial
#These indexes are created to support calls such as getpwid, getpwnam.
index cn,uid eq
index uidNumber eq
index gidNumber eq
#index objectClass eq
# Replicas to which we should propagate changes
#replica host=ldap-1.example.com:389 tls=yes
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
lastmod on
readonly off
mode 0600
cachesize 1000
System is configured with:
./configure \
--x-includes=/usr/include \
--x-includes=/usr/include/openssl/ssl \
--x-includes=/usr/include/openssl \
--x-libraries=/usr/lib \
--x-libraries=/lib \
--x-libraries=/lib/tls \
--prefix=${TARGET} \
--enable-debug \
--enable-dynamic \
--enable-syslog \
--enable-proctitle \
--enable-ipv6 \
--enable-local \
--with-cyrus-sasl \
--with-threads \
--with-tls \
--with-yielding-select \
--with-overlays \
--enable-slapd \
--enable-slapi \
--enable-cleartext \
--enable-crypt \
--enable-spasswd \
--enable-lmpasswd \
--enable-aci \
--enable-modules \
--enable-rewrite \
--enable-rlookups \
--enable-wrappers \
--enable-bdb \
--enable-dnssrv=mod \
--enable-ldap \
--enable-passswd=mod \
--enable-perl=mod \
--enable-shell=mod \
--enable-dyngroup \
--enable-proxycache \
--enable-slurpd \
--enable-hdb=mod \
--enable-ldbm=mod \
--enable-ldbm-api=auto \
--enable-ldbm-type=auto \
--enable-meta=mod \
--enable-null=mod \
--enable-static \
--enable-shared | \
tee -a $Log_File