Hello
I'm running openldap-2.3.43 on an RHEL 5.3 All works fine (like usual) with the linux clients but I have some troubles with AIX
I have done this tests with An AIX 5.3 TL9 host.
When I change my password with AIX it runs like that
[user@host] $ passwd Changing password for "user" user's Old password: user's New password: Enter the new password again:
And it's done, over.
When I check the modification on openLDAP server the password is in clear in the field < userPassword >.
On my linux clients it ask the new password 2 times (normal ?) and is not in clear in userPassword filed.
[user@host] $ passwd Changing password for user user. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: New password: Re-enter new password: LDAP password information changed for user passwd: all authentication tokens updated successfully.
An extract of logs :
From an Aix :
Sep 17 14:51:19 srvldap slapd[8270]: conn=9 op=0 BIND dn="uid=user,ou=users,dc=xxx,dc=xx" method=128 Sep 17 14:51:19 srvldap slapd[8270]: slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1 Sep 17 14:51:19 srvldap slapd[8270]: conn=9 op=0 BIND dn="uid=user,ou=users,dc= xxx,dc=xx" mech=SIMPLE ssf=0 Sep 17 14:51:19 srvldap slapd[8270]: conn=9 op=0 RESULT tag=97 err=0 text= Sep 17 14:51:19 srvldap slapd[8270]: conn=9 op=1 MOD dn="uid=user,ou=users,dc= xxx,dc=xx" Sep 17 14:51:19 srvldap slapd[8270]: conn=9 op=1 MOD attr=userpassword userpassword Sep 17 14:51:19 srvldap slapd[8270]: slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1 Sep 17 14:51:19 srvldap slapd[8270]: conn=9 op=1 RESULT tag=103 err=0 text= Sep 17 14:51:19 srvldap slapd[8270]: conn=9 op=2 UNBIND Sep 17 14:51:19 srvldap slapd[8270]: conn=9 fd=22 closed Sep 17 14:51:19 srvldap slapd[8270]: conn=7 op=6 SRCH base="ou=users,dc= xxx,dc= xx " scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=in205))" Sep 17 14:51:19 srvldap slapd[8270]: conn=7 op=6 SEARCH RESULT tag=101 err=0 nentries=1 text= Sep 17 14:51:19 srvldap slapd[8270]: conn=7 op=7 MOD dn="uid=user,ou=users,dc= xxx,dc= xx " Sep 17 14:51:19 srvldap slapd[8270]: conn=7 op=7 MOD attr=shadowlastchange Sep 17 14:51:19 srvldap slapd[8270]: conn=7 op=7 RESULT tag=103 err=8 text=modifications require authentication
... some troubles ....
From Linux :
Oct 6 15:37:40 srvldap slapd[2420]: conn=5764 fd=34 ACCEPT from IP=192.168.3.30:51023 (IP=0.0.0.0:636) Oct 6 15:37:40 srvldap slapd[2420]: conn=5764 fd=34 TLS established tls_ssf=256 ssf=256 Oct 6 15:37:40 srvldap slapd[2420]: conn=5764 op=0 BIND dn="" method=128 Oct 6 15:37:40 srvldap slapd[2420]: conn=5764 op=0 RESULT tag=97 err=0 text= Oct 6 15:37:40 srvldap slapd[2420]: conn=5764 op=1 SRCH base="ou=users,dc=xxx,dc=xx" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=1001))" Oct 6 15:37:40 srvldap slapd[2420]: conn=5764 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Oct 6 15:37:40 srvldap slapd[2420]: conn=5764 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Oct 6 15:37:40 srvldap slapd[2420]: conn=5764 op=2 SRCH base="ou=users,dc=xxx,dc=xx" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=user))" Oct 6 15:37:40 srvldap slapd[2420]: conn=5764 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Oct 6 15:37:40 srvldap slapd[2420]: conn=5764 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Oct 6 15:37:40 srvldap slapd[2420]: conn=5765 fd=38 ACCEPT from IP=192.168.3.30:51024 (IP=0.0.0.0:636) Oct 6 15:37:40 srvldap slapd[2420]: conn=5765 fd=38 TLS established tls_ssf=256 ssf=256 Oct 6 15:37:40 srvldap slapd[2420]: conn=5765 op=0 BIND dn="" method=128 Oct 6 15:37:40 srvldap slapd[2420]: conn=5765 op=0 RESULT tag=97 err=0 text= Oct 6 15:37:40 srvldap slapd[2420]: conn=5765 op=1 SRCH base="ou=users,dc=xxx,dc=xx" scope=2 deref=0 filter="(&(|(&(accessTo=host22)(trustModel=byhost))(trustModel=fullaccess))(uid=user))" Oct 6 15:37:40 srvldap slapd[2420]: <= bdb_equality_candidates: (accessTo) not indexed Oct 6 15:37:40 srvldap slapd[2420]: <= bdb_equality_candidates: (trustModel) not indexed Oct 6 15:37:40 srvldap slapd[2420]: <= bdb_equality_candidates: (trustModel) not indexed Oct 6 15:37:40 srvldap slapd[2420]: conn=5765 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Oct 6 15:37:43 srvldap slapd[2420]: conn=5765 op=2 BIND dn="uid=user,ou=users,dc=xxx,dc=xx" method=128 Oct 6 15:37:43 srvldap slapd[2420]: conn=5765 op=2 BIND dn="uid=user,ou=users,dc=xxx,dc=xx" mech=SIMPLE ssf=0 Oct 6 15:37:43 srvldap slapd[2420]: conn=5765 op=2 RESULT tag=97 err=0 text= Oct 6 15:37:43 srvldap slapd[2420]: conn=5765 op=3 BIND anonymous mech=implicit ssf=0 Oct 6 15:37:43 srvldap slapd[2420]: conn=5765 op=3 BIND dn="" method=128 Oct 6 15:37:43 srvldap slapd[2420]: conn=5765 op=3 RESULT tag=97 err=0 text= Oct 6 15:37:46 srvldap slapd[2420]: conn=5764 op=3 SRCH base="ou=users,dc=xxx,dc=xx" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=1001))" Oct 6 15:37:46 srvldap slapd[2420]: conn=5764 op=3 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Oct 6 15:37:46 srvldap slapd[2420]: conn=5764 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Oct 6 15:37:52 srvldap slapd[2420]: conn=5765 op=4 BIND dn="uid=user,ou=users,dc=xxx,dc=xx" method=128 Oct 6 15:37:52 srvldap slapd[2420]: conn=5765 op=4 BIND dn="uid=user,ou=users,dc=xxx,dc=xx" mech=SIMPLE ssf=0 Oct 6 15:37:52 srvldap slapd[2420]: conn=5765 op=4 RESULT tag=97 err=0 text= Oct 6 15:37:52 srvldap slapd[2420]: conn=5765 op=5 PASSMOD id="uid=user,ou=users,dc=xxx,dc=xx" new Oct 6 15:37:52 srvldap slapd[2420]: conn=5765 op=5 RESULT oid= err=0 text= Oct 6 15:37:52 srvldap slapd[2420]: conn=5765 op=6 MOD dn="uid=user,ou=users,dc=xxx,dc=xx" Oct 6 15:37:52 srvldap slapd[2420]: conn=5765 op=6 MOD attr=shadowLastChange Oct 6 15:37:52 srvldap slapd[2420]: conn=5765 op=6 RESULT tag=103 err=0 text= Oct 6 15:37:52 srvldap slapd[2420]: conn=5764 fd=34 closed (connection lost) Oct 6 15:37:52 srvldap slapd[2420]: conn=5765 op=7 UNBIND Oct 6 15:37:52 srvldap slapd[2420]: conn=5765 fd=38 closed
Thanks for your help.
-- Philippe Caseiro
On Tuesday, 6 October 2009 14:44:32 CASEIRO Philippe wrote:
Hello
I'm running openldap-2.3.43 on an RHEL 5.3 All works fine (like usual) with the linux clients but I have some troubles with AIX
I have done this tests with An AIX 5.3 TL9 host.
When I change my password with AIX it runs like that
[user@host] $ passwd Changing password for "user" user's Old password: user's New password: Enter the new password again:
And it's done, over.
When I check the modification on openLDAP server the password is in clear in the field < userPassword >.
On my linux clients it ask the new password 2 times (normal ?)
Use "use_authtok" option when calling pam_ldap in password lines, if preceded by e.g. pam_unix in password lines ...
and is not in clear in userPassword filed.
[user@host] $ passwd Changing password for user user. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: New password: Re-enter new password: LDAP password information changed for user passwd: all authentication tokens updated successfully.
An extract of logs :
From an Aix :
Sep 17 14:51:19 srvldap slapd[8270]: conn=9 op=0 BIND dn="uid=user,ou=users,dc=xxx,dc=xx" method=128 Sep 17 14:51:19 srvldap slapd[8270]: slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1 Sep 17 14:51:19 srvldap slapd[8270]: conn=9 op=0 BIND dn="uid=user,ou=users,dc= xxx,dc=xx" mech=SIMPLE ssf=0 Sep 17 14:51:19 srvldap slapd[8270]: conn=9 op=0 RESULT tag=97 err=0 text= Sep 17 14:51:19 srvldap slapd[8270]: conn=9 op=1 MOD dn="uid=user,ou=users,dc= xxx,dc=xx" Sep 17 14:51:19 srvldap slapd[8270]: conn=9 op=1 MOD attr=userpassword
userpassword
AIX has just sent a normal modify of the userPassword attribute. If the client did not hash it, the server will not.
Sep 17 14:51:19 srvldap slapd[8270]: slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1
The AIX box seems to support the password policy control, but it seems your LDAP server doesn't, so you are not using the ppolicy overlay.
... some troubles ....
From Linux :
Oct 6 15:37:40 srvldap slapd[2420]: conn=5765 op=1 SRCH base="ou=users,dc=xxx,dc=xx" scope=2 deref=0 filter="(&(|(&(accessTo=host22)(trustModel=byhost))(trustModel=fullaccess)) (uid=user))" Oct 6 15:37:40 srvldap slapd[2420]: <=> bdb_equality_candidates: (accessTo)
not indexed
Oct 6 15:37:40 srvldap slapd[2420]: <= bdb_equality_candidates:
(trustModel) not indexed
Oct 6 15:37:40 srvldap slapd[2420]: <= bdb_equality_candidates: (trustModel) not indexed
You should probably index accessTo and trustModel attributes ...
Oct 6 15:37:52 srvldap slapd[2420]: conn=5765 op=4 BIND dn="uid=user,ou=users,dc=xxx,dc=xx" method=128 Oct 6 15:37:52 srvldap slapd[2420]: conn=5765 op=4 BIND dn="uid=user,ou=users,dc=xxx,dc=xx" mech=SIMPLE ssf=0 Oct 6 15:37:52 srvldap slapd[2420]: conn=5765 op=4 RESULT tag=97 err=0 text= Oct 6 15:37:52 srvldap slapd[2420]: conn=5765 op=5 PASSMOD id="uid=user,ou=users,dc=xxx,dc=xx" new Oct 6 15:37:52 srvldap slapd[2420]: conn=5765 op=5 RESULT oid= err=0 text=
The Linux box send a password modify extended operation, in which case the server will always hash the password.
You may want to consider enabling the password policy overlay (this should give you password expiry notifications etc.), and to solve your cleartext password problem, use the "ppolicy_hash_cleartext" option, so that slapd will hash cleartext passwords sent in modify operations.
Regards, Buchan
Hi
All this works fine !
Thank you very much !
Regards -- Philippe
-----Message d'origine----- De : Buchan Milne [mailto:bgmilne@staff.telkomsa.net] Envoyé : jeudi 15 octobre 2009 11:15 À : openldap-technical@openldap.org Cc : CASEIRO Philippe Objet : Re: Change user Password from an AIX on openLDAP server
On Tuesday, 6 October 2009 14:44:32 CASEIRO Philippe wrote:
Hello
I'm running openldap-2.3.43 on an RHEL 5.3 All works fine (like usual) with the linux clients but I have some troubles with AIX
I have done this tests with An AIX 5.3 TL9 host.
When I change my password with AIX it runs like that
[user@host] $ passwd Changing password for "user" user's Old password: user's New password: Enter the new password again:
And it's done, over.
When I check the modification on openLDAP server the password is in clear in the field < userPassword >.
On my linux clients it ask the new password 2 times (normal ?)
Use "use_authtok" option when calling pam_ldap in password lines, if preceded by e.g. pam_unix in password lines ...
and is not in clear in userPassword filed.
[user@host] $ passwd Changing password for user user. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: New password: Re-enter new password: LDAP password information changed for user passwd: all authentication tokens updated successfully.
An extract of logs :
From an Aix :
Sep 17 14:51:19 srvldap slapd[8270]: conn=9 op=0 BIND dn="uid=user,ou=users,dc=xxx,dc=xx" method=128 Sep 17 14:51:19 srvldap slapd[8270]: slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1 Sep 17 14:51:19 srvldap slapd[8270]: conn=9 op=0 BIND dn="uid=user,ou=users,dc= xxx,dc=xx" mech=SIMPLE ssf=0 Sep 17 14:51:19 srvldap slapd[8270]: conn=9 op=0 RESULT tag=97 err=0 text= Sep 17 14:51:19 srvldap slapd[8270]: conn=9 op=1 MOD dn="uid=user,ou=users,dc= xxx,dc=xx" Sep 17 14:51:19 srvldap slapd[8270]: conn=9 op=1 MOD attr=userpassword
userpassword
AIX has just sent a normal modify of the userPassword attribute. If the client did not hash it, the server will not.
Sep 17 14:51:19 srvldap slapd[8270]: slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1
The AIX box seems to support the password policy control, but it seems your LDAP server doesn't, so you are not using the ppolicy overlay.
... some troubles ....
From Linux :
Oct 6 15:37:40 srvldap slapd[2420]: conn=5765 op=1 SRCH base="ou=users,dc=xxx,dc=xx" scope=2 deref=0 filter="(&(|(&(accessTo=host22)(trustModel=byhost))(trustModel=fullaccess)) (uid=user))" Oct 6 15:37:40 srvldap slapd[2420]: <=> bdb_equality_candidates: (accessTo)
not indexed
Oct 6 15:37:40 srvldap slapd[2420]: <= bdb_equality_candidates:
(trustModel) not indexed
Oct 6 15:37:40 srvldap slapd[2420]: <= bdb_equality_candidates: (trustModel) not indexed
You should probably index accessTo and trustModel attributes ...
Oct 6 15:37:52 srvldap slapd[2420]: conn=5765 op=4 BIND dn="uid=user,ou=users,dc=xxx,dc=xx" method=128 Oct 6 15:37:52 srvldap slapd[2420]: conn=5765 op=4 BIND dn="uid=user,ou=users,dc=xxx,dc=xx" mech=SIMPLE ssf=0 Oct 6 15:37:52 srvldap slapd[2420]: conn=5765 op=4 RESULT tag=97 err=0 text= Oct 6 15:37:52 srvldap slapd[2420]: conn=5765 op=5 PASSMOD id="uid=user,ou=users,dc=xxx,dc=xx" new Oct 6 15:37:52 srvldap slapd[2420]: conn=5765 op=5 RESULT oid= err=0 text=
The Linux box send a password modify extended operation, in which case the server will always hash the password.
You may want to consider enabling the password policy overlay (this should give you password expiry notifications etc.), and to solve your cleartext password problem, use the "ppolicy_hash_cleartext" option, so that slapd will hash cleartext passwords sent in modify operations.
Regards, Buchan
openldap-technical@openldap.org
-
Buchan Milne -
CASEIRO Philippe