On Wed, Jan 4, 2017 at 10:51 AM, Peng Yu <pengyu.ut@gmail.com> wrote:
Hi,

I can use the following command to change the password in openldap
after I create an entry le.

~~~
$ sudo ldapsetpasswd le
Changing password for user uid=le,ou=Users,dc=mydomain,dc=example
New Password:
Retype New Password:
Successfully set password for user uid=le,ou=Users,dc=mydomain,dc=example
~~~

And I can see the userPassword field is changed upon calling the above command.

~~~
$ sudo ldapmodifyuser le
[sudo] password for pengy:
# About to modify the following entry :
dn: uid=le,ou=Users,dc=mydomain,dc=example
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: le
uid: le
uidNumber: 10103
gidNumber: 10002
homeDirectory: /home/le
loginShell: /bin/bash
gecos: le
description: User account
shadowMax: 180
shadowLastChange: 0
userPassword:: e1NTSEF9VzZHdlFnTkdDMitzUk5BRStpMGMzcElVWG9hVTYzRjk=

# Enter your modifications here, end with CTRL-D.
dn: uid=le,ou=Users,dc=mydomain,dc=example
Successfully modified user entry uid=le,ou=Users,dc=mydomain,dc=example in LDAP
~~~

(BTW, why whenever I run ldapsetpasswd to set the same password, the
userPassword field is set differently?)


The userPassword field is changing because the system creates a new SSHA hash every time the password is set.
 
But the user le is not able to login to the servers (the servers
connected to openldap for authentication) with the new password.

In /var/log/syslog of the openldap server (ubuntu), I see the following lines.

~~~
Jan  2 12:17:22 openldapserver slapd[1082]: conn=2884 fd=39 ACCEPT
from IP=172.17.1.6:51975 (IP=0.0.0.0:389)
Jan  2 12:17:22 openldapserver slapd[1082]: conn=2884 op=0 BIND dn="" method=128
Jan  2 12:17:22 openldapserver slapd[1082]: conn=2884 op=0 RESULT
tag=97 err=0 text=
Jan  2 12:17:22 openldapserver slapd[1082]: conn=2884 op=1 SRCH
base="dc=domain,dc=example" scope=2 deref=0
filter="(&(&(|(host=\2A)(host=elnath))(!(host=!elnath)))(&(|(host=\2A)(host=elnath))(!(host=!elnath)))(uid=le))"
Jan  2 12:17:22 openldapserver slapd[1082]: <=
bdb_equality_candidates: (host) not indexed
Jan  2 12:17:22 openldapserver slapd[1082]: message repeated 3 times:
[ <= bdb_equality_candidates: (host) not indexed]
Jan  2 12:17:22 openldapserver slapd[1082]: <=
bdb_equality_candidates: (uid) not indexed
Jan  2 12:17:22 openldapserver slapd[1082]: conn=2884 op=1 SEARCH
RESULT tag=101 err=0 nentries=0 text=
~~~


The log here shows a successful BIND. The "(host) no indexed" entry is not an error, it is simply a message telling you that the "host" attribute is a candidate to be indexed for your BDB database. If you want that message to go away then add an equality index for host.
 
On the server to be logged in (named as elnath and is also a ubuntu
server), /var/log/auth.log has the following line.

~~~
Jan  2 12:17:22 elnath sshd[21249]: Failed password for le from
xxx.xx.xx.xx port 57155 ssh2
~~~


Were you able to log into this server before changing the password? Do you have PAM setup on your client use LDAP as a login source?
 
I have tried to stop slapd service then run slapindex as root and then
start slapd service on the openldapserver. But it still does not work.

Could anybody let me know how to fix this issue? Thanks.

--
Regards,
Peng