[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: More password questions



Title: RE: More password questions

All,

I have done some more testing but am still hitting a wall.

In summary:

        If the account exists just in files or in both files and LDAP, everything is OK.

        If the account exists just in LDAP I can login but can't change the password.

As you can see from below, the password was encrypted when I created the account (I used useradd and migrated with the PADL utilities rather than just LDIF).

After failing with the standard passwd command (see below), I tried ladppasswd and received different errors:

login as: dduck
Sent username "dduck"
dduck@anadts41's password:
[dduck@anadts41 dduck]$ ldappasswd
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
        additional info: SASL(-13): user not found: no secret in database
[dduck@anadts41 dduck]$

login as: root
Sent username "root"
root@anadts41's password:
Last login: Fri Aug  1 15:36:08 2003 from 192.168.162.41
[root@anadts41 root]# ldappasswd dduck
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
        additional info: SASL(-13): user not found: no secret in database
[root@anadts41 root]#

I've tried various settings of the password-hash parameter in the slapd.conf file.  Nothing helps.

Thanx for any ideas.

Joe Jadick 

-----Original Message-----
From: Jadick, Joe
Sent: Friday, August 01, 2003 11:55 AM
To: 'openldap-software@OpenLDAP.org'
Subject: RE: More password questions


All,

Regarding the two questions in my prior e-mail, I received answers from Jawed and Andreas (thank you!).

I've been trying some of the suggestions and have had the following results:

1) Changes to ldap.conf file, etc.:

My environment is RedHat 8.0 with BDB.  I created the account on the server with useradd; then migrated it to LADP with the padl script; and finally deleted it from the server with userdel.  On the clients I just created the home directory.  There are no entries for the account on any /etc/passwd or /etc/shadow files on either the client or server machines.  The LDAP-only record looks like this:

 
uid: dduck
cn: Donald Duck
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJEwveGxsMjN5JDV2S2pmMnhVdXZucGhCSVBBTlU2dC8=
shadowLastChange: 12227
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 55555
gidNumber: 1000
homeDirectory: /home/dduck
gecos: Donald Duck

Again, for the LDAP-only user dduck, I can login or su to the account OK but can't change the password while logged in as the user or as root.  When I try to change the password, I get the following responses (as dduck and as root):

 
login as: dduck
Sent username "dduck"
dduck@10.48.245.217's password:
[dduck@anadts42 dduck]$
[dduck@anadts42 dduck]$ passwd
Changing password for user dduck.
Enter login(LDAP) password:
LDAP Password incorrect: try again
Enter login(LDAP) password:
 
Ctl-C

[dduck@anadts42 dduck]$
[dduck@anadts42 dduck]$ su -
Password:
[root@anadts42 root]# passwd dduck
Changing password for user dduck.
Enter login(LDAP) password:
LDAP Password incorrect: try again
Enter login(LDAP) password:
 
When I try to change root's password, no problemo:
 
[root@anadts42 root]# passwd root
Changing password for user root.
New password:
 
The passwd-hash parameter in my slapd.conf file takes the default of SSHA.  I have also set the parameter explicitly to {SSHA} with no effect.

 
In the ldap.conf file I have tried setting the pam_password parameter to clear and exop with no effect.  I notice in the LDAP System Administration book that this parameter defines methods for changing passwords so that this is probably not related to client hashing.

 
What else should I be looking at?
 
 
2) ACL question:

The suggestion to grant read access was correect.  However, the order seems to be important:

This works (although it is not recommended on page 57 of the O'Reilly LDAP book).

# Simple ACL granting read access to the world
access to *
     by * read
# Restrict userPassword to be used for authentication only, but allow users
# to modify their own passwords.
access to attrs=userPassword
     by self write
     by * auth

login as: dduck
Sent username "dduck"
dduck@10.48.245.217's password:
[dduck@anadts42 dduck]$ id
uid=55555(dduck) gid=1000(webadmins) groups=1000(webadmins),80(desktop),48(apache)
[dduck@anadts42 dduck]$


This doesn't work (although it is recommended on page 58 of the O'Reilly LDAP book).

# Restrict userPassword to be used for authentication only, but allow users
# to modify their own passwords.
access to attrs=userPassword
     by self write
     by * auth
# Simple ACL granting read access to the world.
access to *
     by * read

login as: dduck
Sent username "dduck"
dduck@10.48.245.217's password:
Access denied
dduck@10.48.245.217's password:


Obviously, I'm an LDAP newbie.  Any ideas or suggestions will be greatly appreciated.

Thanx,

Joe (still confused in Anaheim) Jadick






-----Original Message-----
From: Jadick, Joe
Sent: Wednesday, July 30, 2003 1:57 PM
To: openldap-software@OpenLDAP.org
Subject: More password questions


I have been working with LDAP in a Linux environment with one LDAP server/client machine and two LDAP client machines.

I have a user defined only in the LDAP data base and can authenticate from all three client environments.  Also, su and getent passwd work correctly as does id while I'm logged on as the user.

What I can't do is change the user's password (either as root or as the user).

I've tried two things, both individually and together:

1) Add the following entry to the client ldap.conf file:

pam_password exop

2) Add the following entry to the server slapd.conf:

# Restrict userPassword to be for authentication only, but allow users to modify
# their own passwords.
access to attrs=userPassword
     by self write
     by * auth

Neither change helps. The second change is actually disruptive and I can no longer login or su to the LDAP account while in that mode.

I must be missing something really basic but can't figure out what.

Confused in Anaheim....

**********************************************************************

This message contains confidential information intended only for the use of the addressee(s)

named above and may contain information that is legally privileged.  If you are not the

addressee, or the person responsible for delivering it to the addressee, you are hereby
notified that reading, disseminating, distributing or copying this message is strictly prohibited. 

If you have received this message by mistake, please immediately notify us by replying to the

message and delete the original message immediately thereafter.

 

Thank you.                                                                                                       FADLD Tag
**********************************************************************