I am unable to change users passwords as themselves. When a user tries to change their password, they get and error invalid credentials(49). I have tried every option of changing the acl's to allow them to bind and change it but nothing has worked. Any help would be appreciated. Here is my slapd.conf and the command I am trying to use to change the password.
ldappasswd -x -D "uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com" -w tt#12345 -s new#1234 uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/misc.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/var/run/slapd.pid
argsfile /usr/local/var/run/slapd.args
# Load dynamic backend modules:
# modulepath /usr/local/libexec/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
#tru64 bind
allow bind_v2
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
TLSCACertificateFile /usr/local/etc/openldap/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/servercrt.pem
TLSCertificateKeyFile /usr/local/etc/openldap/serverkey.pem
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
## access to dn.base="cn=Subschema" by * read
access to * by self write by * read
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {SSHA}OIbjYF+qgnf6+yiF+QvFMKhUONMmRp1q
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/local/var/openldap-data
# Indices to maintain
index objectClass eq
index cn,uid eq
index uidNumber eq
index gidNumber eq
index userPassword eq
#logging
loglevel 512
#cache size
cachesize 2000
Rick Tautin wrote:
I am unable to change users passwords as themselves. When a user tries to change their password, they get and error invalid credentials(49). I have tried every option of changing the acl's to allow them to bind and change it but nothing has worked. Any help would be appreciated. Here is my slapd.conf and the command I am trying to use to change the password.
ldappasswd -x -D "uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com" -w tt#12345 -s new#1234 uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com
The fact that you get 49 (invalid credentials) clearly indicates that the command is failing authentication, so you're not even getting to password change. You should check first that you can bind with that identity, for example using ldapwhoami. Moreover, invalid credentials i a rather generic error, it doesn't simply mean the password is wrong, so you should carefully inspect server logs to see where the problem is actually occurring.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Here is the output from ldapwhoami
ldapwhoami -x -h ldap1.example.com -D "uid=user1,ou=users,employees,ou=users,dc=example,dc=com" -w tt#12345 ldap_bind: Invalid DN syntax (34) additional info: invalid DN
But if I do an ldapsearch using the manager account all info show up on this user.
-----Original Message----- From: Pierangelo Masarati [mailto:ando@sys-net.it] Sent: Thursday, August 09, 2007 3:15 AM To: Rick Tautin Cc: openldap-software@openldap.org Subject: Re: Problems changing passwords
Rick Tautin wrote:
I am unable to change users passwords as themselves. When a user
tries
to change their password, they get and error invalid credentials(49).
I
have tried every option of changing the acl's to allow them to bind
and
change it but nothing has worked. Any help would be appreciated.
Here
is my slapd.conf and the command I am trying to use to change the password.
ldappasswd -x -D "uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com" -w
tt#12345
-s new#1234 uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com
The fact that you get 49 (invalid credentials) clearly indicates that the command is failing authentication, so you're not even getting to password change. You should check first that you can bind with that identity, for example using ldapwhoami. Moreover, invalid credentials i a rather generic error, it doesn't simply mean the password is wrong, so you should carefully inspect server logs to see where the problem is actually occurring.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Thank you so much, I guess all I needed was another set of eyes..
-----Original Message----- From: openldap-software-bounces+rtautin=coppolaenterprises.net@OpenLDAP.org on behalf of Gavin Henry Sent: Fri 8/10/2007 5:05 AM To: Rick Tautin Cc: openldap-software@openldap.org Subject: Re: Problems changing passwords
Rick Tautin wrote:
Here is the output from ldapwhoami
ldapwhoami -x -h ldap1.example.com -D "uid=user1,ou=users,employees,ou=users,dc=example,dc=com" -w tt#12345 ldap_bind: Invalid DN syntax (34)
additional info: invalid DN
ou=employees, not just employees.
Gavin.
Rick Tautin wrote:
Thank you so much, I guess all I needed was another set of eyes..
It was weird, since you had it right in your first e-mails.
Oh well ;-)
Gavin.
-----Original Message----- From: openldap-software-bounces+rtautin=coppolaenterprises.net@OpenLDAP.org on behalf of Gavin Henry Sent: Fri 8/10/2007 5:05 AM To: Rick Tautin Cc: openldap-software@openldap.org Subject: Re: Problems changing passwords
Rick Tautin wrote:
Here is the output from ldapwhoami
ldapwhoami -x -h ldap1.example.com -D "uid=user1,ou=users,employees,ou=users,dc=example,dc=com" -w tt#12345 ldap_bind: Invalid DN syntax (34)
additional info: invalid DN
ou=employees, not just employees.
Gavin.
openldap-software@openldap.org
-
Gavin Henry -
Pierangelo Masarati -
Rick Tautin