Hi
All this works fine !
Thank you very much !
Regards -- Philippe
-----Message d'origine----- De : Buchan Milne [mailto:bgmilne@staff.telkomsa.net] Envoyé : jeudi 15 octobre 2009 11:15 À : openldap-technical@openldap.org Cc : CASEIRO Philippe Objet : Re: Change user Password from an AIX on openLDAP server
On Tuesday, 6 October 2009 14:44:32 CASEIRO Philippe wrote:
Hello
I'm running openldap-2.3.43 on an RHEL 5.3 All works fine (like usual) with the linux clients but I have some troubles with AIX
I have done this tests with An AIX 5.3 TL9 host.
When I change my password with AIX it runs like that
[user@host] $ passwd Changing password for "user" user's Old password: user's New password: Enter the new password again:
And it's done, over.
When I check the modification on openLDAP server the password is in clear in the field < userPassword >.
On my linux clients it ask the new password 2 times (normal ?)
Use "use_authtok" option when calling pam_ldap in password lines, if preceded by e.g. pam_unix in password lines ...
and is not in clear in userPassword filed.
[user@host] $ passwd Changing password for user user. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: New password: Re-enter new password: LDAP password information changed for user passwd: all authentication tokens updated successfully.
An extract of logs :
From an Aix :
Sep 17 14:51:19 srvldap slapd[8270]: conn=9 op=0 BIND dn="uid=user,ou=users,dc=xxx,dc=xx" method=128 Sep 17 14:51:19 srvldap slapd[8270]: slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1 Sep 17 14:51:19 srvldap slapd[8270]: conn=9 op=0 BIND dn="uid=user,ou=users,dc= xxx,dc=xx" mech=SIMPLE ssf=0 Sep 17 14:51:19 srvldap slapd[8270]: conn=9 op=0 RESULT tag=97 err=0 text= Sep 17 14:51:19 srvldap slapd[8270]: conn=9 op=1 MOD dn="uid=user,ou=users,dc= xxx,dc=xx" Sep 17 14:51:19 srvldap slapd[8270]: conn=9 op=1 MOD attr=userpassword
userpassword
AIX has just sent a normal modify of the userPassword attribute. If the client did not hash it, the server will not.
Sep 17 14:51:19 srvldap slapd[8270]: slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1
The AIX box seems to support the password policy control, but it seems your LDAP server doesn't, so you are not using the ppolicy overlay.
... some troubles ....
From Linux :
Oct 6 15:37:40 srvldap slapd[2420]: conn=5765 op=1 SRCH base="ou=users,dc=xxx,dc=xx" scope=2 deref=0 filter="(&(|(&(accessTo=host22)(trustModel=byhost))(trustModel=fullaccess)) (uid=user))" Oct 6 15:37:40 srvldap slapd[2420]: <=> bdb_equality_candidates: (accessTo)
not indexed
Oct 6 15:37:40 srvldap slapd[2420]: <= bdb_equality_candidates:
(trustModel) not indexed
Oct 6 15:37:40 srvldap slapd[2420]: <= bdb_equality_candidates: (trustModel) not indexed
You should probably index accessTo and trustModel attributes ...
Oct 6 15:37:52 srvldap slapd[2420]: conn=5765 op=4 BIND dn="uid=user,ou=users,dc=xxx,dc=xx" method=128 Oct 6 15:37:52 srvldap slapd[2420]: conn=5765 op=4 BIND dn="uid=user,ou=users,dc=xxx,dc=xx" mech=SIMPLE ssf=0 Oct 6 15:37:52 srvldap slapd[2420]: conn=5765 op=4 RESULT tag=97 err=0 text= Oct 6 15:37:52 srvldap slapd[2420]: conn=5765 op=5 PASSMOD id="uid=user,ou=users,dc=xxx,dc=xx" new Oct 6 15:37:52 srvldap slapd[2420]: conn=5765 op=5 RESULT oid= err=0 text=
The Linux box send a password modify extended operation, in which case the server will always hash the password.
You may want to consider enabling the password policy overlay (this should give you password expiry notifications etc.), and to solve your cleartext password problem, use the "ppolicy_hash_cleartext" option, so that slapd will hash cleartext passwords sent in modify operations.
Regards, Buchan