I am having a problem changing a password after I import the user into ldap. But once I change the users password with the manager account it works fine. I have pasted the output below and what my slapd.conf file looks like.
access to attrs=userPassword by self write by * auth access to * by * read
and here is the command that I am entering
ldappasswd -x -D "uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com" -w rt#12345 -s tt#12345 "uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com" ldap_bind: Invalid credentials (49)
when I change the password as manager
ldappasswd -x -D "cn=manager,dc=example,dc=com" -W -s js#12345 "uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com" Enter LDAP Password: Result: Success (0)
Now I can change it as the user
ldappasswd -x -D "uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com" -w js#12345 -s tt#12345 "uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com" Result: Success (0)
Thanks for the help
Rick Tautin wrote:
I am having a problem changing a password after I import the user into ldap. But once I change the users password with the manager account it works fine. I have pasted the output below and what my slapd.conf file looks like.
access to attrs=userPassword by self write by * auth access to * by * read
and here is the command that I am entering
ldappasswd -x -D "uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com" -w rt#12345 -s tt#12345 "uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com" ldap_bind: Invalid credentials (49)
when I change the password as manager
ldappasswd -x -D "cn=manager,dc=example,dc=com" -W -s js#12345 "uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com" Enter LDAP Password: Result: Success (0)
Now I can change it as the user
ldappasswd -x -D "uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com" -w js#12345 -s tt#12345 "uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com" Result: Success (0)
Does the user initially have a password? How is it set? How do you know that password is "rt#12345"?
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Yes the user initially has a password. I used padl scripts to import all the users from a /etc/passwd file. So everyones password is what it was when we were just using flat password files. Once I import the user I can ftp to a server with the username and password fine. So I know I am using the correct password. But it is when I go to change it as the user when I have the problem. But like I said before once it is changed as the manager account, I can change it as the user. Thanks again.
-----Original Message----- From: Pierangelo Masarati [mailto:ando@sys-net.it] Sent: Mon 8/13/2007 12:39 PM To: Rick Tautin Cc: openldap-software@openldap.org Subject: Re: Problem changing passwords after import
Rick Tautin wrote:
I am having a problem changing a password after I import the user into ldap. But once I change the users password with the manager account it works fine. I have pasted the output below and what my slapd.conf file looks like.
access to attrs=userPassword by self write by * auth access to * by * read
and here is the command that I am entering
ldappasswd -x -D "uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com" -w rt#12345 -s tt#12345 "uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com" ldap_bind: Invalid credentials (49)
when I change the password as manager
ldappasswd -x -D "cn=manager,dc=example,dc=com" -W -s js#12345 "uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com" Enter LDAP Password: Result: Success (0)
Now I can change it as the user
ldappasswd -x -D "uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com" -w js#12345 -s tt#12345 "uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com" Result: Success (0)
Does the user initially have a password? How is it set? How do you know that password is "rt#12345"?
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Rick Tautin wrote:
Yes the user initially has a password. I used padl scripts to import all the users from a /etc/passwd file. So everyones password is what it was when we were just using flat password files.
If those passwords were crypted using crypt(3), they might not be portable. This would explain your issue.
Once I import the user I can ftp to a server with the username and password fine. So I know I am using the correct password. But it is when I go to change it as the user when I have the problem. But like I said before once it is changed as the manager account, I can change it as the user. Thanks again.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
I guess I am not sure what you mean my portable, I was able to import all the users into ldap and they can successfully authenticate with those usernames and passwords. Why then would just the manager account be able to change the password. Is there away around this if they were all crypted with crypt(3)?
-----Original Message----- From: Pierangelo Masarati [mailto:ando@sys-net.it] Sent: Mon 8/13/2007 2:35 PM To: Rick Tautin Cc: openldap-software@openldap.org Subject: Re: Problem changing passwords after import
Rick Tautin wrote:
Yes the user initially has a password. I used padl scripts to import all the users from a /etc/passwd file. So everyones password is what it was when we were just using flat password files.
If those passwords were crypted using crypt(3), they might not be portable. This would explain your issue.
Once I import the user I can ftp to a server with the username and password fine. So I know I am using the correct password. But it is when I go to change it as the user when I have the problem. But like I said before once it is changed as the manager account, I can change it as the user. Thanks again.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Rick Tautin wrote:
I guess I am not sure what you mean my portable,
I mean: crypt(3) is implementation dependent, so different implementations (e.g. the one in libc and the one in openssl's libcrypto) do not interoperate.
I was able to import all the users into ldap and they can successfully authenticate with those usernames and passwords.
You mean ldapwhoami works for those users __before__ you force the password change using the manager identity? If ldapwhoami does, then ldappasswd must work as well.
Why then would just the manager account be able to change the password. Is there away around this if they were all crypted with crypt(3)?
No straightforward manner. You'll need to crack those passwords (usually trivial with crypt(3)).
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
ldapwhoami does not work until the password has been changed by manager. I meant that I can successfully pop mail, ftp to servers using the username and password before it has been changed by the manager account
-----Original Message----- From: Pierangelo Masarati [mailto:ando@sys-net.it] Sent: Mon 8/13/2007 3:22 PM To: Rick Tautin Cc: openldap-software@openldap.org Subject: Re: Problem changing passwords after import
Rick Tautin wrote:
I guess I am not sure what you mean my portable,
I mean: crypt(3) is implementation dependent, so different implementations (e.g. the one in libc and the one in openssl's libcrypto) do not interoperate.
I was able to import all the users into ldap and they can successfully authenticate with those usernames and passwords.
You mean ldapwhoami works for those users __before__ you force the password change using the manager identity? If ldapwhoami does, then ldappasswd must work as well.
Why then would just the manager account be able to change the password. Is there away around this if they were all crypted with crypt(3)?
No straightforward manner. You'll need to crack those passwords (usually trivial with crypt(3)).
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Rick Tautin wrote:
ldapwhoami does not work until the password has been changed by manager. I meant that I can successfully pop mail, ftp to servers using the username and password before it has been changed by the manager account
OK, but what does OpenLDAP have to do with it?
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
That is where all the usernames and passwords are is in openldap, and I am trying to use the ldappasswd command to change it. If when I complied openldap if enable-crypt was disabled would I even be able to login to other servers that are authenticating back to openldap?
-----Original Message----- From: Pierangelo Masarati [mailto:ando@sys-net.it] Sent: Mon 8/13/2007 3:45 PM To: Rick Tautin Cc: openldap-software@openldap.org Subject: Re: Problem changing passwords after import
Rick Tautin wrote:
ldapwhoami does not work until the password has been changed by manager. I meant that I can successfully pop mail, ftp to servers using the username and password before it has been changed by the manager account
OK, but what does OpenLDAP have to do with it?
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Rick Tautin wrote:
That is where all the usernames and passwords are is in openldap, and I am trying to use the ldappasswd command to change it. If when I complied openldap if enable-crypt was disabled would I even be able to login to other servers that are authenticating back to openldap?
How can you tell the other services bind to OpenLDAP if even ldapwhoami can't? I guess binding to OpenLDAP fails, and services fall back to file based data. Please carefully check the logs of your server before proceeding any further. It seems clear, from the little info you posted, that basic authentication (LDAP simple bind) is not working with the credentials you stored in your directory.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
The directory is the only place that there is user information. I took all the entries out of the old password file and the only thing that is in there are the local accounts. So if it is not getting its credentials from the directory I don't know where it would be getting it from. Also when I stop the server I am unable to check mail or ftp to our servers.
-----Original Message----- From: openldap-software-bounces+rtautin=coppolaenterprises.net@OpenLDAP.org [mailto:openldap-software-bounces+rtautin=coppolaenterprises.net@OpenLDA P.org] On Behalf Of Pierangelo Masarati Sent: Monday, August 13, 2007 4:01 PM To: Rick Tautin Cc: openldap-software@openldap.org Subject: Re: Problem changing passwords after import
Rick Tautin wrote:
That is where all the usernames and passwords are is in openldap, and I am trying to use the ldappasswd command to change it. If when I complied openldap if enable-crypt was disabled would I even be able to login to other servers that are authenticating back to openldap?
How can you tell the other services bind to OpenLDAP if even ldapwhoami can't? I guess binding to OpenLDAP fails, and services fall back to file based data. Please carefully check the logs of your server before proceeding any further. It seems clear, from the little info you posted, that basic authentication (LDAP simple bind) is not working with the credentials you stored in your directory.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Rick Tautin wrote:
The directory is the only place that there is user information. I took all the entries out of the old password file and the only thing that is in there are the local accounts. So if it is not getting its credentials from the directory I don't know where it would be getting it from. Also when I stop the server I am unable to check mail or ftp to our servers.
You're missing the crucial point that Unix services can authenticate users against an LDAP database without performing an LDAP Bind operation on that user. I.e., with sufficient privileges nss_ldap can just retrieve a user's userPassword attribute and authenticate against it when it is stored in crypt(3) format, even if slapd doesn't itself support crypt (or the same version of crypt).
-----Original Message----- From: openldap-software-bounces+rtautin=coppolaenterprises.net@OpenLDAP.org [mailto:openldap-software-bounces+rtautin=coppolaenterprises.net@OpenLDA P.org] On Behalf Of Pierangelo Masarati Sent: Monday, August 13, 2007 4:01 PM To: Rick Tautin Cc: openldap-software@openldap.org Subject: Re: Problem changing passwords after import
Rick Tautin wrote:
That is where all the usernames and passwords are is in openldap, and I am trying to use the ldappasswd command to change it. If when I complied openldap if enable-crypt was disabled would I even be able to login to other servers that are authenticating back to openldap?
How can you tell the other services bind to OpenLDAP if even ldapwhoami can't? I guess binding to OpenLDAP fails, and services fall back to file based data. Please carefully check the logs of your server before proceeding any further. It seems clear, from the little info you posted, that basic authentication (LDAP simple bind) is not working with the credentials you stored in your directory.
Once I change the users password I can successfully do a ldapwhoami, so I would assume that I am binding at that point. I guess I am look on how to proceed with users that have not had their passwords changed as the manager. Is there a different way that I should have imported them? Thanks
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Monday, August 13, 2007 9:28 PM To: Rick Tautin Cc: Pierangelo Masarati; openldap-software@openldap.org Subject: Re: Problem changing passwords after import
Rick Tautin wrote:
The directory is the only place that there is user information. I
took
all the entries out of the old password file and the only thing that
is
in there are the local accounts. So if it is not getting its credentials from the directory I don't know where it would be getting
it
from. Also when I stop the server I am unable to check mail or ftp to our servers.
You're missing the crucial point that Unix services can authenticate users against an LDAP database without performing an LDAP Bind operation on that user. I.e., with sufficient privileges nss_ldap can just retrieve a user's userPassword attribute and authenticate against it when it is stored in crypt(3) format, even if slapd doesn't itself support crypt (or the same
version of crypt).
-----Original Message----- From: openldap-software-bounces+rtautin=coppolaenterprises.net@OpenLDAP.org
[mailto:openldap-software-bounces+rtautin=coppolaenterprises.net@OpenLDA
P.org] On Behalf Of Pierangelo Masarati Sent: Monday, August 13, 2007 4:01 PM To: Rick Tautin Cc: openldap-software@openldap.org Subject: Re: Problem changing passwords after import
Rick Tautin wrote:
That is where all the usernames and passwords are is in openldap, and I am trying to use the ldappasswd command to change it. If when I complied openldap if enable-crypt was disabled would I even be able to login to other servers that are authenticating back to openldap?
How can you tell the other services bind to OpenLDAP if even
ldapwhoami
can't? I guess binding to OpenLDAP fails, and services fall back to file based data. Please carefully check the logs of your server
before
proceeding any further. It seems clear, from the little info you posted, that basic authentication (LDAP simple bind) is not working
with
the credentials you stored in your directory.
Rick Tautin wrote:
Once I change the users password I can successfully do a ldapwhoami, so I would assume that I am binding at that point. I guess I am look on how to proceed with users that have not had their passwords changed as the manager. Is there a different way that I should have imported them?
No, not really, short of cracking all of the crypt'd passwords so you could import their plaintext. The point is that you need to compile slapd with --enable-crypt and make sure that the crypt() routine you link with is the same one as (or compatible to) the system uses for its own authentication checks. As pointed out in the FAQ http://www.openldap.org/faq/index.cgi?file=1041 if you're using OpenSSL it's very likely that you've got the wrong one.
Thanks
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Monday, August 13, 2007 9:28 PM To: Rick Tautin Cc: Pierangelo Masarati; openldap-software@openldap.org Subject: Re: Problem changing passwords after import
Rick Tautin wrote:
The directory is the only place that there is user information. I
took
all the entries out of the old password file and the only thing that
is
in there are the local accounts. So if it is not getting its credentials from the directory I don't know where it would be getting
it
from. Also when I stop the server I am unable to check mail or ftp to our servers.
You're missing the crucial point that Unix services can authenticate users against an LDAP database without performing an LDAP Bind operation on that user. I.e., with sufficient privileges nss_ldap can just retrieve a user's userPassword attribute and authenticate against it when it is stored in crypt(3) format, even if slapd doesn't itself support crypt (or the same version of crypt).
Thank you, I will try this route.
-----Original Message----- From: openldap-software-bounces+rtautin=coppolaenterprises.net@OpenLDAP.org on behalf of Howard Chu Sent: Tue 8/14/2007 5:07 AM To: Rick Tautin Cc: openldap-software@openldap.org Subject: Re: Problem changing passwords after import
Rick Tautin wrote:
Once I change the users password I can successfully do a ldapwhoami, so I would assume that I am binding at that point. I guess I am look on how to proceed with users that have not had their passwords changed as the manager. Is there a different way that I should have imported them?
No, not really, short of cracking all of the crypt'd passwords so you could import their plaintext. The point is that you need to compile slapd with --enable-crypt and make sure that the crypt() routine you link with is the same one as (or compatible to) the system uses for its own authentication checks. As pointed out in the FAQ http://www.openldap.org/faq/index.cgi?file=1041 if you're using OpenSSL it's very likely that you've got the wrong one.
Thanks
-----Original Message----- From: Howard Chu [mailto:hyc@symas.com] Sent: Monday, August 13, 2007 9:28 PM To: Rick Tautin Cc: Pierangelo Masarati; openldap-software@openldap.org Subject: Re: Problem changing passwords after import
Rick Tautin wrote:
The directory is the only place that there is user information. I
took
all the entries out of the old password file and the only thing that
is
in there are the local accounts. So if it is not getting its credentials from the directory I don't know where it would be getting
it
from. Also when I stop the server I am unable to check mail or ftp to our servers.
You're missing the crucial point that Unix services can authenticate users against an LDAP database without performing an LDAP Bind operation on that user. I.e., with sufficient privileges nss_ldap can just retrieve a user's userPassword attribute and authenticate against it when it is stored in crypt(3) format, even if slapd doesn't itself support crypt (or the same version of crypt).
Rick Tautin wrote:
ldapwhoami does not work until the password has been changed by manager. I meant that I can successfully pop mail, ftp to servers using the username and password before it has been changed by the manager account
Do you have a sample LDIF entry so we can see what the password format was before import?
Gavin.
-----Original Message----- From: Pierangelo Masarati [mailto:ando@sys-net.it] Sent: Mon 8/13/2007 3:22 PM To: Rick Tautin Cc: openldap-software@openldap.org Subject: Re: Problem changing passwords after import
Rick Tautin wrote:
I guess I am not sure what you mean my portable,
I mean: crypt(3) is implementation dependent, so different implementations (e.g. the one in libc and the one in openssl's libcrypto) do not interoperate.
I was able to import all the users into ldap and they can successfully authenticate with those usernames and passwords.
You mean ldapwhoami works for those users __before__ you force the password change using the manager identity? If ldapwhoami does, then ldappasswd must work as well.
Why then would just the manager account be able to change the password. Is there away around this if they were all crypted with crypt(3)?
No straightforward manner. You'll need to crack those passwords (usually trivial with crypt(3)).
Here is a sample ldif entry.
dn: uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com uid: user1 cn: Test User sn: User mail: user1@example.com mailRoutingAddress: user1@pellns.example.com mailHost: pellns.example.com objectClass: inetLocalMailRecipient objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top userPassword: {crypt}HmiRzy27ULRyo loginShell: /bin/false uidNumber: 1579 gidNumber: 1001 homeDirectory: /user/U/user1
-----Original Message----- From: Gavin Henry [mailto:ghenry@suretecsystems.com] Sent: Monday, August 13, 2007 5:18 PM To: Rick Tautin Cc: Pierangelo Masarati; openldap-software@openldap.org Subject: Re: Problem changing passwords after import
Rick Tautin wrote:
ldapwhoami does not work until the password has been changed by manager. I meant that I can successfully pop mail, ftp to servers
using
the username and password before it has been changed by the manager
account
Do you have a sample LDIF entry so we can see what the password format was before import?
Gavin.
-----Original Message----- From: Pierangelo Masarati [mailto:ando@sys-net.it] Sent: Mon 8/13/2007 3:22 PM To: Rick Tautin Cc: openldap-software@openldap.org Subject: Re: Problem changing passwords after import
Rick Tautin wrote:
I guess I am not sure what you mean my portable,
I mean: crypt(3) is implementation dependent, so different implementations (e.g. the one in libc and the one in openssl's libcrypto) do not interoperate.
I was able to import all the users into ldap and they can successfully authenticate with those usernames and passwords.
You mean ldapwhoami works for those users __before__ you force the password change using the manager identity? If ldapwhoami does, then ldappasswd must work as well.
Why then would just the manager account be able to change the password. Is there away around this
if
they were all crypted with crypt(3)?
No straightforward manner. You'll need to crack those passwords (usually trivial with crypt(3)).
openldap-software@openldap.org