On Sep 21, 2020, at 22:28, CLARKE, ED C ec4397@att.com wrote:
Hello Quanah,
I appreciate your help, and I wanted to give you some insight on how IBM set up our LDAP server regarding password changes. Below is an example what we have, essentially the .sh script performs an ldapmodify operation, using the ResetPW.ldif file.
ResetPW.sh ***** Reset password shell script ******** $ cat ResetPW.sh #/bin/bash
ldapmodify -h 127.0.0.1 -D "cn=Manager,dc=att,dc=com" -w LinuxONE -x -f /root/ResetPW.ldif
I really hope it’s not the real one.
----- root pdprfsl4.sldc.sbc.com /root -----ResetPW.ldif: $ cat ResetPW.ldif # dn: uid=foxdiv,ou=People,dc=att,dc=com changetype: modify replace: pwdReset pwdReset: TRUE - replace: userPassword userPassword: XXXXXXXXXX - ----- root pdprfsl4.sldc.sbc.com /root -----
This process has been working, if this is not ideal, then I will make any changes that you recommend. Below is the results of a search command & the commands that you gave me:
--- ec4397 Mon Sep 21 09:22:34 CDT 2020 pdprfsl4 /home/ec4397 --- $ sudo ldapsearch -x -b "uid=ec4397,ou=People,dc=att,dc=com" -H ldapi:/// -D "cn=Manager,dc=att,dc=com" -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=ec4397,ou=People,dc=att,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# ec4397, People, att.com dn: uid=ec4397,ou=People,dc=att,dc=com uid: ec4397 cn: ec4397 objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 17780 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 2000 gidNumber: 1001 homeDirectory: /home/ec4397 userPassword:: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= *** I commented this out ****
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 --- ec4397 Mon Sep 21 09:22:34 CDT 2020 pdprfsl4 /home/ec4397 ---
--- ec4397 Mon Sep 21 09:22:34 CDT 2020 pdprfsl4 /home/ec4397 --- $ sudo ldapwhoami -x -H ldapi:/// -D uid=foxdiv,ou=People,dc=att,dc=com -W [sudo] password for ec4397: Enter LDAP Password: ldap_bind: Invalid credentials (49) --- ec4397 Mon Sep 21 09:22:34 CDT 2020 pdprfsl4 /home/ec4397 ---
Any other tests that you would like me to run?
Thanks, Ed
-----Original Message----- From: Quanah Gibson-Mount quanah@symas.com Sent: Friday, September 18, 2020 4:46 PM To: CLARKE, ED C ec4397@att.com; openldap-technical@openldap.org Subject: RE: Issues with resetting user password
--On Friday, September 18, 2020 2:42 PM -0700 Quanah Gibson-Mount quanah@symas.com wrote:
Nothing you've provided shows any attempt to connect to the ldap server using an SIMPLE BIND with the user DN "uid=foxdiv,ou=People,dc=att,dc=com" and a password.
As an example, the correct way to test the user password change went through would be something like:
ldapwhoami -x -H ldap://ldap.example.com:389/ -D uid=foxdiv,ou=People,dc=att,dc=com -W
If slapd is running on ldaps, adjust the URI accordingly. If it's on port 389 but requires startTLS, add the -ZZ option, etc.
You will be prompted for the password for the LDAP user. If the operation succeeds, then the password was correctly updated in LDAP.
It sounds as though you may be attempting *nix <-> ldap integration, but that hasn't been specified. Regardless, the above ldapwhoami command is the next step in confirming whether or not the password was correctly changed and accepted on the user side. If that works, and you're attempting the *nix<->ldap integration and *that* is not working, it would imply that the integration is not configured correctly.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.symas.com&d=DwIC... >