[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Change user Password from an AIX on openLDAP server

On Tuesday, 6 October 2009 14:44:32 CASEIRO Philippe wrote:
> Hello
>
>   I'm running openldap-2.3.43 on an RHEL 5.3  All works fine (like usual)
> with the linux clients but I have some troubles with AIX
>
>  I have done this tests with An AIX 5.3 TL9 host.
>
>  When I change my password with AIX it runs like that
>
>    [user@host] $ passwd
>    Changing password for "user"
>    user's Old password:
>    user's New password:
>    Enter the new password again:
>
>    And it's done, over.
>
> When I check the modification on openLDAP server the password is in clear
> in the field < userPassword >.
>
> On my linux clients it ask the new password 2 times (normal ?)

Use "use_authtok" option when calling pam_ldap in password lines, if preceded 
by e.g. pam_unix in password lines ...

> and is not
> in clear in userPassword filed.
>
>    [user@host] $ passwd
>    Changing password for user user.
>    Enter login(LDAP) password:
>    New UNIX password:
>    Retype new UNIX password:
>    New password:
>    Re-enter new password:
>    LDAP password information changed for user
>    passwd: all authentication tokens updated successfully.
>
> An extract of logs :
> >From an Aix :
>
> Sep 17 14:51:19 srvldap slapd[8270]: conn=9 op=0 BIND
> dn="uid=user,ou=users,dc=xxx,dc=xx" method=128 
> Sep 17 14:51:19 srvldap
> slapd[8270]: slap_global_control: unrecognized control:
> 1.3.6.1.4.1.42.2.27.8.5.1 
> Sep 17 14:51:19 srvldap slapd[8270]: conn=9 op=0
> BIND dn="uid=user,ou=users,dc= xxx,dc=xx" mech=SIMPLE ssf=0 
> Sep 17 14:51:19
> srvldap slapd[8270]: conn=9 op=0 RESULT tag=97 err=0 text= 
> Sep 17 14:51:19
> srvldap slapd[8270]: conn=9 op=1 MOD dn="uid=user,ou=users,dc= xxx,dc=xx"
> Sep 17 14:51:19 srvldap slapd[8270]: conn=9 op=1 MOD attr=userpassword 
userpassword 

AIX has just sent a normal modify of the userPassword attribute. If the client 
did not hash it, the server will not.

> Sep 17 14:51:19 srvldap slapd[8270]: slap_global_control:
> unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1

The AIX box seems to support the password policy control, but it seems your 
LDAP server doesn't, so you are not using the ppolicy overlay.


> ... some troubles ....
>
> >From Linux :
>


> Oct  6 15:37:40
> srvldap slapd[2420]: conn=5765 op=1 SRCH base="ou=users,dc=xxx,dc=xx"
> scope=2 deref=0
> filter="(&(|(&(accessTo=host22)(trustModel=byhost))(trustModel=fullaccess))
>(uid=user))" 
>Oct  6 15:37:40 srvldap slapd[2420]: <=> bdb_equality_candidates: (accessTo) 
not indexed 
> Oct  6 15:37:40 srvldap slapd[2420]: <= bdb_equality_candidates: 
(trustModel) not indexed 
> Oct  6
> 15:37:40 srvldap slapd[2420]: <= bdb_equality_candidates: (trustModel) not
> indexed 

You should probably index accessTo and trustModel attributes ...

> Oct  6 15:37:52 srvldap slapd[2420]: conn=5765 op=4 BIND
> dn="uid=user,ou=users,dc=xxx,dc=xx" method=128 
> Oct  6 15:37:52 srvldap
> slapd[2420]: conn=5765 op=4 BIND dn="uid=user,ou=users,dc=xxx,dc=xx"
> mech=SIMPLE ssf=0 
> Oct  6 15:37:52 srvldap slapd[2420]: conn=5765 op=4
> RESULT tag=97 err=0 text= 
> Oct  6 15:37:52 srvldap slapd[2420]: conn=5765
> op=5 PASSMOD id="uid=user,ou=users,dc=xxx,dc=xx" new 
> Oct  6 15:37:52
> srvldap slapd[2420]: conn=5765 op=5 RESULT oid= err=0 text= 

The Linux box send a password modify extended operation, in which case the 
server will always hash the password.

You may want to consider enabling the password policy overlay (this should 
give you password expiry notifications etc.), and to solve your cleartext 
password problem, use the "ppolicy_hash_cleartext" option, so that slapd will 
hash cleartext passwords sent in modify operations.

Regards,
Buchan