[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Problem changing passwords after import

Once I change the users password I can successfully do a ldapwhoami, so
I would assume that I am binding at that point.  I guess I am look on
how to proceed with users that have not had their passwords changed as
the manager.  Is there a different way that I should have imported them?

-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com] 
Sent: Monday, August 13, 2007 9:28 PM
To: Rick Tautin
Cc: Pierangelo Masarati; openldap-software@openldap.org
Subject: Re: Problem changing passwords after import

Rick Tautin wrote:
> The directory is the only place that there is user information.  I
> all the entries out of the old password file and the only thing that
> in there are the local accounts.  So if it is not getting its
> credentials from the directory I don't know where it would be getting
> from.  Also when I stop the server I am unable to check mail or ftp to
> our servers.  

You're missing the crucial point that Unix services can authenticate
against an LDAP database without performing an LDAP Bind operation on
user. I.e., with sufficient privileges nss_ldap can just retrieve a
userPassword attribute and authenticate against it when it is stored in 
crypt(3) format, even if slapd doesn't itself support crypt (or the same

version of crypt).
> -----Original Message-----
> From:
> openldap-software-bounces+rtautin=coppolaenterprises.net@OpenLDAP.org
> P.org] On Behalf Of Pierangelo Masarati
> Sent: Monday, August 13, 2007 4:01 PM
> To: Rick Tautin
> Cc: openldap-software@openldap.org
> Subject: Re: Problem changing passwords after import
> Rick Tautin wrote:
>> That is where all the usernames and passwords are is in openldap, and
>> I am trying to use the ldappasswd command to change it.  If when I
>> complied openldap if enable-crypt was disabled would I even be able
>> to login to other servers that are authenticating back to openldap?
> How can you tell the other services bind to OpenLDAP if even
> can't?  I guess binding to OpenLDAP fails, and services fall back to
> file based data.  Please carefully check the logs of your server
> proceeding any further.  It seems clear, from the little info you
> posted, that basic authentication (LDAP simple bind) is not working
> the credentials you stored in your directory.

   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP     http://www.openldap.org/project/