On Wed, Jan 4, 2017 at 10:51 AM, Peng Yu pengyu.ut@gmail.com wrote:
Hi,
I can use the following command to change the password in openldap after I create an entry le.
$ sudo ldapsetpasswd le Changing password for user uid=le,ou=Users,dc=mydomain,dc=example New Password: Retype New Password: Successfully set password for user uid=le,ou=Users,dc=mydomain,dc=exampleAnd I can see the userPassword field is changed upon calling the above command.
$ sudo ldapmodifyuser le [sudo] password for pengy: # About to modify the following entry : dn: uid=le,ou=Users,dc=mydomain,dc=example objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: le uid: le uidNumber: 10103 gidNumber: 10002 homeDirectory: /home/le loginShell: /bin/bash gecos: le description: User account shadowMax: 180 shadowLastChange: 0 userPassword:: e1NTSEF9VzZHdlFnTkdDMitzUk5BRStpMGMzcElVWG9hVTYzRjk= # Enter your modifications here, end with CTRL-D. dn: uid=le,ou=Users,dc=mydomain,dc=example Successfully modified user entry uid=le,ou=Users,dc=mydomain,dc=example in LDAP(BTW, why whenever I run ldapsetpasswd to set the same password, the userPassword field is set differently?)
The userPassword field is changing because the system creates a new SSHA hash every time the password is set.
But the user le is not able to login to the servers (the servers connected to openldap for authentication) with the new password.
In /var/log/syslog of the openldap server (ubuntu), I see the following lines.
Jan 2 12:17:22 openldapserver slapd[1082]: conn=2884 fd=39 ACCEPT from IP=172.17.1.6:51975 (IP=0.0.0.0:389) Jan 2 12:17:22 openldapserver slapd[1082]: conn=2884 op=0 BIND dn="" method=128 Jan 2 12:17:22 openldapserver slapd[1082]: conn=2884 op=0 RESULT tag=97 err=0 text= Jan 2 12:17:22 openldapserver slapd[1082]: conn=2884 op=1 SRCH base="dc=domain,dc=example" scope=2 deref=0 filter="(&(&(|(host=\2A)(host=elnath))(!(host=!elnath)))(&(| (host=\2A)(host=elnath))(!(host=!elnath)))(uid=le))" Jan 2 12:17:22 openldapserver slapd[1082]: <= bdb_equality_candidates: (host) not indexed Jan 2 12:17:22 openldapserver slapd[1082]: message repeated 3 times: [ <= bdb_equality_candidates: (host) not indexed] Jan 2 12:17:22 openldapserver slapd[1082]: <= bdb_equality_candidates: (uid) not indexed Jan 2 12:17:22 openldapserver slapd[1082]: conn=2884 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
The log here shows a successful BIND. The "(host) no indexed" entry is not an error, it is simply a message telling you that the "host" attribute is a candidate to be indexed for your BDB database. If you want that message to go away then add an equality index for host.
On the server to be logged in (named as elnath and is also a ubuntu server), /var/log/auth.log has the following line.
Jan 2 12:17:22 elnath sshd[21249]: Failed password for le from xxx.xx.xx.xx port 57155 ssh2
Were you able to log into this server before changing the password? Do you have PAM setup on your client use LDAP as a login source?
I have tried to stop slapd service then run slapindex as root and then start slapd service on the openldapserver. But it still does not work.
Could anybody let me know how to fix this issue? Thanks.
-- Regards, Peng