Hi,
I can use the following command to change the password in openldap after I create an entry le.
~~~ $ sudo ldapsetpasswd le Changing password for user uid=le,ou=Users,dc=mydomain,dc=example New Password: Retype New Password: Successfully set password for user uid=le,ou=Users,dc=mydomain,dc=example ~~~
And I can see the userPassword field is changed upon calling the above command.
~~~ $ sudo ldapmodifyuser le [sudo] password for pengy: # About to modify the following entry : dn: uid=le,ou=Users,dc=mydomain,dc=example objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: le uid: le uidNumber: 10103 gidNumber: 10002 homeDirectory: /home/le loginShell: /bin/bash gecos: le description: User account shadowMax: 180 shadowLastChange: 0 userPassword:: e1NTSEF9VzZHdlFnTkdDMitzUk5BRStpMGMzcElVWG9hVTYzRjk=
# Enter your modifications here, end with CTRL-D. dn: uid=le,ou=Users,dc=mydomain,dc=example Successfully modified user entry uid=le,ou=Users,dc=mydomain,dc=example in LDAP ~~~
(BTW, why whenever I run ldapsetpasswd to set the same password, the userPassword field is set differently?)
But the user le is not able to login to the servers (the servers connected to openldap for authentication) with the new password.
In /var/log/syslog of the openldap server (ubuntu), I see the following lines.
~~~ Jan 2 12:17:22 openldapserver slapd[1082]: conn=2884 fd=39 ACCEPT from IP=172.17.1.6:51975 (IP=0.0.0.0:389) Jan 2 12:17:22 openldapserver slapd[1082]: conn=2884 op=0 BIND dn="" method=128 Jan 2 12:17:22 openldapserver slapd[1082]: conn=2884 op=0 RESULT tag=97 err=0 text= Jan 2 12:17:22 openldapserver slapd[1082]: conn=2884 op=1 SRCH base="dc=domain,dc=example" scope=2 deref=0 filter="(&(&(|(host=\2A)(host=elnath))(!(host=!elnath)))(&(|(host=\2A)(host=elnath))(!(host=!elnath)))(uid=le))" Jan 2 12:17:22 openldapserver slapd[1082]: <= bdb_equality_candidates: (host) not indexed Jan 2 12:17:22 openldapserver slapd[1082]: message repeated 3 times: [ <= bdb_equality_candidates: (host) not indexed] Jan 2 12:17:22 openldapserver slapd[1082]: <= bdb_equality_candidates: (uid) not indexed Jan 2 12:17:22 openldapserver slapd[1082]: conn=2884 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= ~~~
On the server to be logged in (named as elnath and is also a ubuntu server), /var/log/auth.log has the following line.
~~~ Jan 2 12:17:22 elnath sshd[21249]: Failed password for le from xxx.xx.xx.xx port 57155 ssh2 ~~~
I have tried to stop slapd service then run slapindex as root and then start slapd service on the openldapserver. But it still does not work.
Could anybody let me know how to fix this issue? Thanks.
On Wed, Jan 4, 2017 at 10:51 AM, Peng Yu pengyu.ut@gmail.com wrote:
Hi,
I can use the following command to change the password in openldap after I create an entry le.
$ sudo ldapsetpasswd le Changing password for user uid=le,ou=Users,dc=mydomain,dc=example New Password: Retype New Password: Successfully set password for user uid=le,ou=Users,dc=mydomain,dc=exampleAnd I can see the userPassword field is changed upon calling the above command.
$ sudo ldapmodifyuser le [sudo] password for pengy: # About to modify the following entry : dn: uid=le,ou=Users,dc=mydomain,dc=example objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: le uid: le uidNumber: 10103 gidNumber: 10002 homeDirectory: /home/le loginShell: /bin/bash gecos: le description: User account shadowMax: 180 shadowLastChange: 0 userPassword:: e1NTSEF9VzZHdlFnTkdDMitzUk5BRStpMGMzcElVWG9hVTYzRjk= # Enter your modifications here, end with CTRL-D. dn: uid=le,ou=Users,dc=mydomain,dc=example Successfully modified user entry uid=le,ou=Users,dc=mydomain,dc=example in LDAP(BTW, why whenever I run ldapsetpasswd to set the same password, the userPassword field is set differently?)
The userPassword field is changing because the system creates a new SSHA hash every time the password is set.
But the user le is not able to login to the servers (the servers connected to openldap for authentication) with the new password.
In /var/log/syslog of the openldap server (ubuntu), I see the following lines.
Jan 2 12:17:22 openldapserver slapd[1082]: conn=2884 fd=39 ACCEPT from IP=172.17.1.6:51975 (IP=0.0.0.0:389) Jan 2 12:17:22 openldapserver slapd[1082]: conn=2884 op=0 BIND dn="" method=128 Jan 2 12:17:22 openldapserver slapd[1082]: conn=2884 op=0 RESULT tag=97 err=0 text= Jan 2 12:17:22 openldapserver slapd[1082]: conn=2884 op=1 SRCH base="dc=domain,dc=example" scope=2 deref=0 filter="(&(&(|(host=\2A)(host=elnath))(!(host=!elnath)))(&(| (host=\2A)(host=elnath))(!(host=!elnath)))(uid=le))" Jan 2 12:17:22 openldapserver slapd[1082]: <= bdb_equality_candidates: (host) not indexed Jan 2 12:17:22 openldapserver slapd[1082]: message repeated 3 times: [ <= bdb_equality_candidates: (host) not indexed] Jan 2 12:17:22 openldapserver slapd[1082]: <= bdb_equality_candidates: (uid) not indexed Jan 2 12:17:22 openldapserver slapd[1082]: conn=2884 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
The log here shows a successful BIND. The "(host) no indexed" entry is not an error, it is simply a message telling you that the "host" attribute is a candidate to be indexed for your BDB database. If you want that message to go away then add an equality index for host.
On the server to be logged in (named as elnath and is also a ubuntu server), /var/log/auth.log has the following line.
Jan 2 12:17:22 elnath sshd[21249]: Failed password for le from xxx.xx.xx.xx port 57155 ssh2
Were you able to log into this server before changing the password? Do you have PAM setup on your client use LDAP as a login source?
I have tried to stop slapd service then run slapindex as root and then start slapd service on the openldapserver. But it still does not work.
Could anybody let me know how to fix this issue? Thanks.
-- Regards, Peng
Am Mittwoch, 04. Januar 2017 19:31 CET, Joshua Schaeffer jschaeffer0922@gmail.com schrieb:
The log here shows a successful BIND.
Hmm, the log
| Jan 2 12:17:22 openldapserver slapd[1082]: conn=2884 op=0 BIND dn="" method=128
shows a successful _anonymous_ bind, that has nothing to do with the authentication.
The "(host) no indexed" entry is not an error, it is simply a message telling you that the "host" attribute is a candidate to be indexed for your BDB database. If you want that message to go away then add an equality index for host.
Side note: some of the openldap folks would consider the bdb backend a little bit outdated ...
Were you able to log into this server before changing the password? Do you have PAM setup on your client use LDAP as a login source?
The OP didn't tell us what kind of LDAP user authentication he uses. Have you looked at the search request (that doesn't find anything)? Reformated, for better readability:
(& (&(| (host=\2A) (host=elnath)) (!(host=!elnath))) (&(| (host=\2A) (host=elnath)) (!(host=!elnath))) (uid=le))
What program/tool did create that filter (note the redundant duplicated subquery. A and A is always A) ?
Since this search fails to find an entry that's the place debugging should start. N.B.: It looks like this query is used by the athenticator to map the uid to a dn which would be needed for a user bind.
HTH Ralf Mattes
Am Mittwoch, 04. Januar 2017 21:07 CET, "Ralf Mattes" r.mattes@mh-freiburg.de schrieb:
Since this search fails to find an entry that's the place debugging should start. N.B.: It looks like this query is used by the athenticator to map the uid to a dn which would be needed for a user bind.
Quick followup: if the OP's transcript of 'ldapmodifyuser' is indeed complete than it's pretty obvious why the search fails - the user entry simply doesn't have a 'host' attribute.
Cheers, Ralf Mattes
Quick followup: if the OP's transcript of 'ldapmodifyuser' is indeed complete than it's pretty obvious why the search fails - the user entry simply doesn't have a 'host' attribute.
I see. The problem is the missing host attribute. After adding 'host' the problem is fixed.
I used ldapadduser to add the users. The figuration did not have a host fields before.
Now, I've added one line in the figuration. Is this the correct way to avoid this problem in the future? Thanks.
$ grep host /etc/ldapscripts/ldapadduser.template host: *
openldap-technical@openldap.org
-
Joshua Schaeffer -
Peng Yu -
Ralf Mattes