Hello the list,
I'm new here, new at OpenLDAP and I have an issue.
I've search for many time now an explanation but I saw nothing.
Here is my problem.
I ran a OpenLDAP server on a Debian VM
# slapd -V @(#) $OpenLDAP: slapd 2.4.11 (Jul 23 2010 21:37:26) $
@barber:/build/buildd-openldap_2.4.11-1+lenny2-amd64-WJ2jlD/openldap-2.4.11/debian/build/servers/slapd
I have many direct client (desktop computer who query the ldap server) and everything work well.
I made this ACL on slapd.conf to allow users to change there password:
access to attrs=userPassword,shadowLastChange by self write by dn="cn=syncuser,dc=example,dc=com" read by anonymous auth by * none
access to * by self write by * read
And it works fine.
These are the only ACL I have.
I also have 2 replications of this LDAP Server.
syncrepl rid=002 provider=ldaps://ldap.example.com type=refreshOnly interval=00:01:00:00 retry="60 10 300 +" filter="(objectClass=*)" scope=sub attrs="*" bindmethod=simple schemachecking=off searchbase="dc=example,dc=com" binddn="cn=syncuser,dc=example,dc=com" credentials=youdonthavetoknow tls_reqcert=never
The replications work well to and user can connect to those replication computer (I don't have client of those replication).
But the trouble is when a user, connected to these replication try to change his password:
% passwd Enter login(LDAP) password: New password: Re-enter new password: LDAP password information update failed: Strong(er) authentication required modifications require authentication passwd: Permission denied passwd: password unchanged
In the /var/log/auth.log file I found:
Apr 4 16:10:45 ovhstorage sshd[22056]: pam_unix(sshd:account): password for user test will expire in 4 days Apr 4 16:10:45 ovhstorage sshd[22056]: Accepted publickey for test from 88.162.182.86 port 49955 ssh2 Apr 4 16:10:45 ovhstorage sshd[22056]: pam_unix(sshd:session): session opened for user test by (uid=0) Apr 4 16:10:48 ovhstorage passwd[22064]: pam_unix(passwd:chauthtok): user "test" does not exist in /etc/passwd Apr 4 16:10:55 ovhstorage passwd[22064]: pam_unix(passwd:chauthtok): user "test" does not exist in /etc/passwd
I know that modification must be done on the master server,but how can I send modifications to the master. Did I have to use "referrals"?
Thanks in advance for giving the correct pointers.
Best regards Jacques Foucry
updateref ldap://ldapmaster.symas.com
http://www.openldap.org/doc/admin24/replication.html#Replication%20Technolog...
suomi
On 04/04/2012 04:13 PM, Jacques Foucry wrote:
Hello the list,
I'm new here, new at OpenLDAP and I have an issue.
I've search for many time now an explanation but I saw nothing.
Here is my problem.
I ran a OpenLDAP server on a Debian VM
# slapd -V @(#) $OpenLDAP: slapd 2.4.11 (Jul 23 2010 21:37:26) $
@barber:/build/buildd-openldap_2.4.11-1+lenny2-amd64-WJ2jlD/openldap-2.4.11/debian/build/servers/slapd
I have many direct client (desktop computer who query the ldap server) and everything work well.
I made this ACL on slapd.conf to allow users to change there password:
access to attrs=userPassword,shadowLastChange by self write by dn="cn=syncuser,dc=example,dc=com" read by anonymous auth by * none
access to * by self write by * read
And it works fine.
These are the only ACL I have.
I also have 2 replications of this LDAP Server.
syncrepl rid=002 provider=ldaps://ldap.example.com type=refreshOnly interval=00:01:00:00 retry="60 10 300 +" filter="(objectClass=*)" scope=sub attrs="*" bindmethod=simple schemachecking=off searchbase="dc=example,dc=com" binddn="cn=syncuser,dc=example,dc=com" credentials=youdonthavetoknow tls_reqcert=never
The replications work well to and user can connect to those replication computer (I don't have client of those replication).
But the trouble is when a user, connected to these replication try to change his password:
% passwd Enter login(LDAP) password: New password: Re-enter new password: LDAP password information update failed: Strong(er) authentication required modifications require authentication passwd: Permission denied passwd: password unchanged
In the /var/log/auth.log file I found:
Apr 4 16:10:45 ovhstorage sshd[22056]: pam_unix(sshd:account): password for user test will expire in 4 days Apr 4 16:10:45 ovhstorage sshd[22056]: Accepted publickey for test from 88.162.182.86 port 49955 ssh2 Apr 4 16:10:45 ovhstorage sshd[22056]: pam_unix(sshd:session): session opened for user test by (uid=0) Apr 4 16:10:48 ovhstorage passwd[22064]: pam_unix(passwd:chauthtok): user "test" does not exist in /etc/passwd Apr 4 16:10:55 ovhstorage passwd[22064]: pam_unix(passwd:chauthtok): user "test" does not exist in /etc/passwd
I know that modification must be done on the master server,but how can I send modifications to the master. Did I have to use "referrals"?
Thanks in advance for giving the correct pointers.
Best regards Jacques Foucry
On 04/04/2012 05:59 PM, anax wrote:
Hello,
updateref ldap://ldapmaster.symas.com
http://www.openldap.org/doc/admin24/replication.html#Replication%20Technolog...
Well after reading the docs, I made some test on a VM.
My goal is to allow users to change there password.
I have a working replication VM. On this VM I can login with my LDAP password (PAM on this VM is client of the replica).
When I try to change the password, using the passwd cmd this error occurs:
% passwd Enter login(LDAP) password: New password: Re-enter new password: LDAP password information update failed: Referral passwd: Permission denied passwd: password unchanged
In the log I found that:
Apr 6 15:44:17 debian slapd[3044]: <<< dnPrettyNormal: <>, <> Apr 6 15:44:17 debian slapd[3044]: SRCH "" 0 0 Apr 6 15:44:17 debian slapd[3044]: 1 0 0 Apr 6 15:44:17 debian slapd[3044]: filter: (?objectClass=passwordPolicy) Apr 6 15:44:17 debian slapd[3044]: attrs: Apr 6 15:44:17 debian slapd[3044]: Apr 6 15:44:17 debian slapd[3044]: conn=1007 op=7 SRCH base="" scope=0 deref=0 filter="(?objectClass=passwordPolicy)" Apr 6 15:44:17 debian slapd[3044]: send_ldap_result: conn=1007 op=7 p=3 Apr 6 15:44:17 debian slapd[3044]: send_ldap_result: err=0 matched="" text="" Apr 6 15:44:17 debian slapd[3044]: send_ldap_response: msgid=8 tag=101 err=0 Apr 6 15:44:17 debian slapd[3044]: conn=1007 op=7 SEARCH RESULT tag=101 err=0 nentries=0 text= Apr 6 15:44:22 debian slapd[3044]: connection_get(17) Apr 6 15:44:22 debian slapd[3044]: connection_get(17): got connid=1007 Apr 6 15:44:22 debian slapd[3044]: connection_read(17): checking for input on id=1007 Apr 6 15:44:22 debian slapd[3044]: op tag 0x66, time 1333719862 Apr 6 15:44:22 debian slapd[3044]: conn=1007 op=8 do_modify Apr 6 15:44:22 debian slapd[3044]: conn=1007 op=8 do_modify: dn (cn=Test Test,ou=People,dc=example,dc=com) Apr 6 15:44:22 debian slapd[3044]: >>> dnPrettyNormal: <cn=Test Test,ou=People,dc=example,dc=com> Apr 6 15:44:22 debian slapd[3044]: <<< dnPrettyNormal: <cn=Test Test,ou=People,dc=example,dc=com>, <cn=test test,ou=people,dc=example,dc=com> Apr 6 15:44:22 debian slapd[3044]: conn=1007 op=8 modifications: Apr 6 15:44:22 debian slapd[3044]: #011replace: userPassword Apr 6 15:44:22 debian slapd[3044]: #011#011one value, length 20 Apr 6 15:44:22 debian slapd[3044]: conn=1007 op=8 MOD dn="cn=Test Test,ou=People,dc=example,dc=com" Apr 6 15:44:22 debian slapd[3044]: conn=1007 op=8 MOD attr=userPassword Apr 6 15:44:22 debian slapd[3044]: bdb_dn2entry("cn=test test,ou=people,dc=example,dc=com") Apr 6 15:44:22 debian slapd[3044]: send_ldap_result: conn=1007 op=8 p=3 Apr 6 15:44:22 debian slapd[3044]: send_ldap_result: err=10 matched="" text="" Apr 6 15:44:22 debian slapd[3044]: send_ldap_result: referral="ldaps://ldap.example.com/cn=Test%20Test,ou=People,dc=example,dc=com" Apr 6 15:44:22 debian slapd[3044]: send_ldap_response: msgid=9 tag=103 err=10 Apr 6 15:44:22 debian slapd[3044]: send_ldap_response: ref="ldaps://ldap.example.com/cn=Test%20Test,ou=People,dc=example,dc=com" Apr 6 15:44:22 debian slapd[3044]: conn=1007 op=8 RESULT tag=103 err=10 text= Apr 6 15:44:22 debian slapd[3044]: connection_get(17) Apr 6 15:44:22 debian slapd[3044]: connection_get(17): got connid=1007 Apr 6 15:44:22 debian slapd[3044]: connection_read(17): checking for input on id=1007 Apr 6 15:44:22 debian slapd[3044]: op tag 0x42, time 1333719862 Apr 6 15:44:22 debian slapd[3044]: conn=1007 op=9 do_unbind Apr 6 15:44:22 debian slapd[3044]: conn=1007 op=9 UNBIND Apr 6 15:44:22 debian slapd[3044]: connection_close: conn=1007 sd=17 Apr 6 15:44:22 debian slapd[3044]: conn=1007 fd=17 closed Apr 6 15:44:22 debian slapd[3044]: connection_get(16) Apr 6 15:44:22 debian slapd[3044]: connection_get(16): got connid=1006 Apr 6 15:44:22 debian slapd[3044]: connection_read(16): checking for input on id=1006 Apr 6 15:44:22 debian slapd[3044]: ber_get_next on fd 16 failed errno=0 (Success) Apr 6 15:44:22 debian slapd[3044]: connection_close: conn=1006 sd=16 Apr 6 15:44:22 debian slapd[3044]: conn=1006 fd=16 closed (connection lost)
Why objectClass=passwordPolicy? I can find those kind of objectClass in my base.
I read that I need some ACL. But where did I have to put them?
I the master I've already some ACL:
access to attrs=userPassword,shadowLastChange by self write by dn="cn=syncuser,dc=example,dc=com" read by anonymous auth by * none
access to * by self write by * read
In the slave I've put:
syncrepl rid=202 provider=ldaps://ldap.example.com type=refreshOnly interval=00:01:00:00 retry="60 10 300 +" filter="(objectClass=*)" scope=sub attrs="*" bindmethod=simple schemachecking=off searchbase="dc=example,dc=com" binddn="cn=syncuser,dc=example,dc=com" credentials=youdonthavetoknow tls_reqcert=never
updateref ldaps://ldap.example.com
Thanks in advance for your help and explanation.
Jacques Foucry
--On Friday, April 06, 2012 3:57 PM +0200 Jacques Foucry jacques.foucry@novasparks.com wrote:
On 04/04/2012 05:59 PM, anax wrote:
Hello,
updateref ldap://ldapmaster.symas.com
http://www.openldap.org/doc/admin24/replication.html#Replication%20Techn ology
Well after reading the docs, I made some test on a VM.
My goal is to allow users to change there password.
I have a working replication VM. On this VM I can login with my LDAP password (PAM on this VM is client of the replica).
When I try to change the password, using the passwd cmd this error occurs:
I suggest you look at slapo-chain.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
anax -
Jacques Foucry -
Quanah Gibson-Mount