Hello,
I am new to this arena, I have a Open LDAP installed on my Linux server RHEL 7.8. I am not able to reset user passwords, I have checked the systemctl status slapd.service And it is active & running. Below is an example of the resetpw.ldif:
$ cat ResetPW.ldif # dn: uid=foxdiv,ou=People,dc=att,dc=com changetype: modify replace: pwdReset pwdReset: TRUE - replace: userPassword userPassword: xxxxxxxxxxxx
Any help would be appreciated, also any help on client side commands to test communications.
Thanks, Ed
Ed Clarke Senior Software Engineer Operations Transformation, Real-time Automation & Predictive Insightshttp://mysolutions.dev.att.com/GNFO_Solutions/index.jsp "RAPID" Certified Quality Eng. - ISO 9000/1 Six Sigma - Yellow Belt AT&T Veterans
AT&T "ATO" 1010 Pine ST. Shared, St. Louis, MO. 63101 m 636.639.0713 | o 314.335.3158 | ec4397@att.commailto:ec4397@att.com
--On Thursday, September 17, 2020 11:41 PM +0000 "CLARKE, ED C" ec4397@att.com wrote:
[Image: ""]
Hello,
I am new to this arena, I have a Open LDAP installed on my Linux server RHEL 7.8.
I am not able to reset user passwords, I have checked the systemctl status slapd.service And it is active & running.
Below is an example of the resetpw.ldif:
Are you using the ppolicy module? You've provided no information about your configuration.
The correct way to change a user password is to use an LDAPv3 password modify operation, not an ldapmodify change. See the ldappasswd(1) command.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Le 18/09/2020 à 00:57, Quanah Gibson-Mount a écrit :
--On Thursday, September 17, 2020 11:41 PM +0000 "CLARKE, ED C" ec4397@att.com wrote:
[Image: ""]
Hello,
I am new to this arena, I have a Open LDAP installed on my Linux server RHEL 7.8.
I am not able to reset user passwords, I have checked the systemctl status slapd.service And it is active & running.
Below is an example of the resetpw.ldif:
Are you using the ppolicy module? You've provided no information about your configuration.
The correct way to change a user password is to use an LDAPv3 password modify operation, not an ldapmodify change. See the ldappasswd(1) command.
Note that we can't modify pwdReset attribute trough ldappasswd, as far as I know.
Ed, what is the error returned by your ldapmodify command?
Hello Clement,
What is strange, is I do not receive any error, the script runs and shows the below:
----- root pdprfsl4.sldc.sbc.com /root ----- $ cat ResetPW.ldif # dn: uid=foxdiv,ou=People,dc=att,dc=com changetype: modify replace: pwdReset pwdReset: TRUE - replace: userPassword userPassword: Linux0NE -
******** Below is what is returned ************* ----- root pdprfsl4.sldc.sbc.com /root ----- $ ./ResetPW.sh modifying entry "uid=foxdiv,ou=People,dc=att,dc=com"
----- root pdprfsl4.sldc.sbc.com /root ----- $
Thanks, Ed
-----Original Message----- From: Clément OUDOT clement.oudot@worteks.com Sent: Friday, September 18, 2020 2:12 AM To: openldap-technical@openldap.org Subject: Re: Issues with resetting user password
Le 18/09/2020 à 00:57, Quanah Gibson-Mount a écrit :
--On Thursday, September 17, 2020 11:41 PM +0000 "CLARKE, ED C" ec4397@att.com wrote:
[Image: ""]
Hello,
I am new to this arena, I have a Open LDAP installed on my Linux server RHEL 7.8.
I am not able to reset user passwords, I have checked the systemctl status slapd.service And it is active & running.
Below is an example of the resetpw.ldif:
Are you using the ppolicy module? You've provided no information about your configuration.
The correct way to change a user password is to use an LDAPv3 password modify operation, not an ldapmodify change. See the ldappasswd(1) command.
Note that we can't modify pwdReset attribute trough ldappasswd, as far as I know.
Ed, what is the error returned by your ldapmodify command?
-- Clément Oudot | Identity Solutions Manager
clement.oudot@worteks.com
Worteks | https://urldefense.proofpoint.com/v2/url?u=https-3A__www.worteks.com&d=D...
--On Friday, September 18, 2020 7:16 PM +0000 "CLARKE, ED C" ec4397@att.com wrote:
Hello Clement,
What is strange, is I do not receive any error, the script runs and shows the below:
We've no idea what your script is doing, so that's not particularly helpful. You need to show the output when running the correct sequence of commands.
The FIRST command should be an appropriate 'ldappasswd' operation to change the user password.
The SECOND command should be an appropiate 'ldapmodify' operation to add pwdReset: TRUE to the user entry.
You should run these on the command line so you can gather any error(s) returned by the utilities.
Once that is working, then you can move on to fixing your script to operate correctly.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--On Friday, September 18, 2020 12:38 PM -0700 Quanah Gibson-Mount quanah@symas.com wrote:
The SECOND command should be an appropiate 'ldapmodify' operation to add pwdReset: TRUE to the user entry.
You should run these on the command line so you can gather any error(s) returned by the utilities.
Hi Ed,
I wanted to add that the ability to modify the pwdReset attribute requires that the operation be done with an entity that has "Manage" rights or higher to the entry in question. You've not really provided any information on what entity is doing the write operation (rootdn? something else?) and what privileges that entity has. See the ldapmodify(5) man page on how to specify that the Manage DSA IT control be specified as part of the modification.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Hello Clement,
Below is my results from the ldappasswd command, it ran fine, but when I tried the new password, I could not login, I tried the old password & I was able to log in:
----- root pdprfsl4.sldc.sbc.com /root ----- $ ldappasswd -H ldapi:/// -x -D "cn=Manager,dc=att,dc=com" -W -S uid=foxdiv,ou=People,dc=att,dc=com New password: Re-enter new password: Enter LDAP Password: ----- root pdprfsl4.sldc.sbc.com /root ----- $ slapcat -n 0 | grep olcRootDN olcRootDN: cn=Manager,dc=att,dc=com ----- root pdprfsl4.sldc.sbc.com /root ----- $ ldapsearch -b "cn=config" SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: KEYRING:persistent:0)) ----- root pdprfsl4.sldc.sbc.com /root -----
Thanks, Ed
-----Original Message----- From: Quanah Gibson-Mount quanah@symas.com Sent: Friday, September 18, 2020 1:39 PM To: CLARKE, ED C ec4397@att.com; Clément OUDOT clement.oudot@worteks.com; openldap-technical@openldap.org Subject: RE: Issues with resetting user password
--On Friday, September 18, 2020 7:16 PM +0000 "CLARKE, ED C" ec4397@att.com wrote:
Hello Clement,
What is strange, is I do not receive any error, the script runs and shows the below:
We've no idea what your script is doing, so that's not particularly helpful. You need to show the output when running the correct sequence of commands.
The FIRST command should be an appropriate 'ldappasswd' operation to change the user password.
The SECOND command should be an appropiate 'ldapmodify' operation to add pwdReset: TRUE to the user entry.
You should run these on the command line so you can gather any error(s) returned by the utilities.
Once that is working, then you can move on to fixing your script to operate correctly.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.symas.com&d=DwIC... >
--On Friday, September 18, 2020 9:13 PM +0000 "CLARKE, ED C" ec4397@att.com wrote:
----- root pdprfsl4.sldc.sbc.com /root ----- $ ldappasswd -H ldapi:/// -x -D "cn=Manager,dc=att,dc=com" -W -S uid=foxdiv,ou=People,dc=att,dc=com New password: Re-enter new password: Enter LDAP Password:
Looks as though you are using the rootdn, so that is useful information.
You changed the password for user: "uid=foxdiv,ou=People,dc=att,dc=com" for SIMPLE BINDS.
----- root pdprfsl4.sldc.sbc.com /root ----- $ ldapsearch -b "cn=config"
Not clear to me what the goal of this command is. This attempts a SASL/GSSAPI bind by default. Are you using Kerberos, and thus SASL/GSSAPI?
Nothing you've provided shows any attempt to connect to the ldap server using an SIMPLE BIND with the user DN "uid=foxdiv,ou=People,dc=att,dc=com" and a password.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--On Friday, September 18, 2020 2:42 PM -0700 Quanah Gibson-Mount quanah@symas.com wrote:
Nothing you've provided shows any attempt to connect to the ldap server using an SIMPLE BIND with the user DN "uid=foxdiv,ou=People,dc=att,dc=com" and a password.
As an example, the correct way to test the user password change went through would be something like:
ldapwhoami -x -H ldap://ldap.example.com:389/ -D uid=foxdiv,ou=People,dc=att,dc=com -W
If slapd is running on ldaps, adjust the URI accordingly. If it's on port 389 but requires startTLS, add the -ZZ option, etc.
You will be prompted for the password for the LDAP user. If the operation succeeds, then the password was correctly updated in LDAP.
It sounds as though you may be attempting *nix <-> ldap integration, but that hasn't been specified. Regardless, the above ldapwhoami command is the next step in confirming whether or not the password was correctly changed and accepted on the user side. If that works, and you're attempting the *nix<->ldap integration and *that* is not working, it would imply that the integration is not configured correctly.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Hello Quanah,
Thank you very much, I will try that and let you know on Monday, I really appreciate it. Have a great weekend all.
Thanks, Ed
-----Original Message----- From: Quanah Gibson-Mount quanah@symas.com Sent: Friday, September 18, 2020 4:46 PM To: CLARKE, ED C ec4397@att.com; openldap-technical@openldap.org Subject: RE: Issues with resetting user password
--On Friday, September 18, 2020 2:42 PM -0700 Quanah Gibson-Mount quanah@symas.com wrote:
Nothing you've provided shows any attempt to connect to the ldap server using an SIMPLE BIND with the user DN "uid=foxdiv,ou=People,dc=att,dc=com" and a password.
As an example, the correct way to test the user password change went through would be something like:
ldapwhoami -x -H ldap://ldap.example.com:389/ -D uid=foxdiv,ou=People,dc=att,dc=com -W
If slapd is running on ldaps, adjust the URI accordingly. If it's on port 389 but requires startTLS, add the -ZZ option, etc.
You will be prompted for the password for the LDAP user. If the operation succeeds, then the password was correctly updated in LDAP.
It sounds as though you may be attempting *nix <-> ldap integration, but that hasn't been specified. Regardless, the above ldapwhoami command is the next step in confirming whether or not the password was correctly changed and accepted on the user side. If that works, and you're attempting the *nix<->ldap integration and *that* is not working, it would imply that the integration is not configured correctly.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.symas.com&d=DwIC... >
Hello Quanah,
I appreciate your help, and I wanted to give you some insight on how IBM set up our LDAP server regarding password changes. Below is an example what we have, essentially the .sh script performs an ldapmodify operation, using the ResetPW.ldif file.
ResetPW.sh ***** Reset password shell script ******** $ cat ResetPW.sh #/bin/bash
ldapmodify -h 127.0.0.1 -D "cn=Manager,dc=att,dc=com" -w LinuxONE -x -f /root/ResetPW.ldif ----- root pdprfsl4.sldc.sbc.com /root -----
ResetPW.ldif: $ cat ResetPW.ldif # dn: uid=foxdiv,ou=People,dc=att,dc=com changetype: modify replace: pwdReset pwdReset: TRUE - replace: userPassword userPassword: XXXXXXXXXX - ----- root pdprfsl4.sldc.sbc.com /root -----
This process has been working, if this is not ideal, then I will make any changes that you recommend. Below is the results of a search command & the commands that you gave me:
--- ec4397 Mon Sep 21 09:22:34 CDT 2020 pdprfsl4 /home/ec4397 --- $ sudo ldapsearch -x -b "uid=ec4397,ou=People,dc=att,dc=com" -H ldapi:/// -D "cn=Manager,dc=att,dc=com" -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=ec4397,ou=People,dc=att,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# ec4397, People, att.com dn: uid=ec4397,ou=People,dc=att,dc=com uid: ec4397 cn: ec4397 objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 17780 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 2000 gidNumber: 1001 homeDirectory: /home/ec4397 userPassword:: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= *** I commented this out ****
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 --- ec4397 Mon Sep 21 09:22:34 CDT 2020 pdprfsl4 /home/ec4397 ---
--- ec4397 Mon Sep 21 09:22:34 CDT 2020 pdprfsl4 /home/ec4397 --- $ sudo ldapwhoami -x -H ldapi:/// -D uid=foxdiv,ou=People,dc=att,dc=com -W [sudo] password for ec4397: Enter LDAP Password: ldap_bind: Invalid credentials (49) --- ec4397 Mon Sep 21 09:22:34 CDT 2020 pdprfsl4 /home/ec4397 ---
Any other tests that you would like me to run?
Thanks, Ed
-----Original Message----- From: Quanah Gibson-Mount quanah@symas.com Sent: Friday, September 18, 2020 4:46 PM To: CLARKE, ED C ec4397@att.com; openldap-technical@openldap.org Subject: RE: Issues with resetting user password
--On Friday, September 18, 2020 2:42 PM -0700 Quanah Gibson-Mount quanah@symas.com wrote:
Nothing you've provided shows any attempt to connect to the ldap server using an SIMPLE BIND with the user DN "uid=foxdiv,ou=People,dc=att,dc=com" and a password.
As an example, the correct way to test the user password change went through would be something like:
ldapwhoami -x -H ldap://ldap.example.com:389/ -D uid=foxdiv,ou=People,dc=att,dc=com -W
If slapd is running on ldaps, adjust the URI accordingly. If it's on port 389 but requires startTLS, add the -ZZ option, etc.
You will be prompted for the password for the LDAP user. If the operation succeeds, then the password was correctly updated in LDAP.
It sounds as though you may be attempting *nix <-> ldap integration, but that hasn't been specified. Regardless, the above ldapwhoami command is the next step in confirming whether or not the password was correctly changed and accepted on the user side. If that works, and you're attempting the *nix<->ldap integration and *that* is not working, it would imply that the integration is not configured correctly.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.symas.com&d=DwIC... >
On Sep 21, 2020, at 22:28, CLARKE, ED C ec4397@att.com wrote:
Hello Quanah,
I appreciate your help, and I wanted to give you some insight on how IBM set up our LDAP server regarding password changes. Below is an example what we have, essentially the .sh script performs an ldapmodify operation, using the ResetPW.ldif file.
ResetPW.sh ***** Reset password shell script ******** $ cat ResetPW.sh #/bin/bash
ldapmodify -h 127.0.0.1 -D "cn=Manager,dc=att,dc=com" -w LinuxONE -x -f /root/ResetPW.ldif
I really hope it’s not the real one.
----- root pdprfsl4.sldc.sbc.com /root -----ResetPW.ldif: $ cat ResetPW.ldif # dn: uid=foxdiv,ou=People,dc=att,dc=com changetype: modify replace: pwdReset pwdReset: TRUE - replace: userPassword userPassword: XXXXXXXXXX - ----- root pdprfsl4.sldc.sbc.com /root -----
This process has been working, if this is not ideal, then I will make any changes that you recommend. Below is the results of a search command & the commands that you gave me:
--- ec4397 Mon Sep 21 09:22:34 CDT 2020 pdprfsl4 /home/ec4397 --- $ sudo ldapsearch -x -b "uid=ec4397,ou=People,dc=att,dc=com" -H ldapi:/// -D "cn=Manager,dc=att,dc=com" -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=ec4397,ou=People,dc=att,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# ec4397, People, att.com dn: uid=ec4397,ou=People,dc=att,dc=com uid: ec4397 cn: ec4397 objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 17780 shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 2000 gidNumber: 1001 homeDirectory: /home/ec4397 userPassword:: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= *** I commented this out ****
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 --- ec4397 Mon Sep 21 09:22:34 CDT 2020 pdprfsl4 /home/ec4397 ---
--- ec4397 Mon Sep 21 09:22:34 CDT 2020 pdprfsl4 /home/ec4397 --- $ sudo ldapwhoami -x -H ldapi:/// -D uid=foxdiv,ou=People,dc=att,dc=com -W [sudo] password for ec4397: Enter LDAP Password: ldap_bind: Invalid credentials (49) --- ec4397 Mon Sep 21 09:22:34 CDT 2020 pdprfsl4 /home/ec4397 ---
Any other tests that you would like me to run?
Thanks, Ed
-----Original Message----- From: Quanah Gibson-Mount quanah@symas.com Sent: Friday, September 18, 2020 4:46 PM To: CLARKE, ED C ec4397@att.com; openldap-technical@openldap.org Subject: RE: Issues with resetting user password
--On Friday, September 18, 2020 2:42 PM -0700 Quanah Gibson-Mount quanah@symas.com wrote:
Nothing you've provided shows any attempt to connect to the ldap server using an SIMPLE BIND with the user DN "uid=foxdiv,ou=People,dc=att,dc=com" and a password.
As an example, the correct way to test the user password change went through would be something like:
ldapwhoami -x -H ldap://ldap.example.com:389/ -D uid=foxdiv,ou=People,dc=att,dc=com -W
If slapd is running on ldaps, adjust the URI accordingly. If it's on port 389 but requires startTLS, add the -ZZ option, etc.
You will be prompted for the password for the LDAP user. If the operation succeeds, then the password was correctly updated in LDAP.
It sounds as though you may be attempting *nix <-> ldap integration, but that hasn't been specified. Regardless, the above ldapwhoami command is the next step in confirming whether or not the password was correctly changed and accepted on the user side. If that works, and you're attempting the *nix<->ldap integration and *that* is not working, it would imply that the integration is not configured correctly.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.symas.com&d=DwIC... >
--On Monday, September 21, 2020 10:28 PM +0000 "CLARKE, ED C" ec4397@att.com wrote:
Hello Quanah,
I appreciate your help, and I wanted to give you some insight on how IBM set up our LDAP server regarding password changes. Below is an example what we have, essentially the .sh script performs an ldapmodify operation, using the ResetPW.ldif file.
What directory server are you running? The discussion so far has been assuming that you're using OpenLDAP. IBM's directory server may have different requirements.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Hello Quanah,
I am using OpenLDAP, on an IBM LinuxONE server, IBM just helped with the setup. I also was able to test the below on my other ldap server & it performed as expected & changed the password.
----- root pdprfdl4.dadc.sbc.com /root ----- $ ldappasswd -H ldapi:/// -x -D "cn=Manager,dc=att,dc=com" -W -S uid=foxdiv,ou=People,dc=att,dc=com New password: Re-enter new password: Enter LDAP Password: ----- root pdprfdl4.dadc.sbc.com /root ----- $ ldapwhoami -x -H ldapi:/// -D uid=foxdiv,ou=People,dc=att,dc=com -W Enter LDAP Password: dn:uid=foxdiv,ou=People,dc=att,dc=com ----- root pdprfdl4.dadc.sbc.com /root ----- $ ----- root pdprfdl4.dadc.sbc.com /root ----- $ ----- root pdprfdl4.dadc.sbc.com /root ----- $ rpm -qa | grep -i ldap openldap-clients-2.4.44-21.el7_6.s390x sssd-ldap-1.16.2-13.el7_6.12.s390x openldap-2.4.44-21.el7_6.s390x openldap-servers-2.4.44-21.el7_6.s390x ----- root pdprfdl4.dadc.sbc.com /root ----- $
On my server with the issue, the command runs, but when I try logging in with the new password, it fails, but I can log in with the old password.
----- root pdprfsl4.sldc.sbc.com /root ----- $ ldappasswd -H ldapi:/// -x -D "cn=Manager,dc=att,dc=com" -W -S uid=foxdiv,ou=People,dc=att,dc=com New password: Re-enter new password: Enter LDAP Password: ----- root pdprfsl4.sldc.sbc.com /root ----- $ ldapwhoami -x -H ldapi:/// -D uid=foxdiv,ou=People,dc=att,dc=com -W Enter LDAP Password: dn:uid=foxdiv,ou=People,dc=att,dc=com ----- root pdprfsl4.sldc.sbc.com /root ----- $ rpm -qa | grep -i ldap nss-pam-ldapd-0.8.13-25.el7.s390x compat-openldap-2.3.43-5.el7.s390x openldap-clients-2.4.44-21.el7_6.s390x openldap-servers-2.4.44-21.el7_6.s390x openldap-2.4.44-21.el7_6.s390x sssd-ldap-1.16.5-1.el7.s390x ----- root pdprfsl4.sldc.sbc.com /root -----
Thanks, Ed
-----Original Message----- From: Quanah Gibson-Mount quanah@symas.com Sent: Monday, September 21, 2020 5:10 PM To: CLARKE, ED C ec4397@att.com; openldap-technical@openldap.org Subject: RE: Issues with resetting user password
--On Monday, September 21, 2020 10:28 PM +0000 "CLARKE, ED C" ec4397@att.com wrote:
Hello Quanah,
I appreciate your help, and I wanted to give you some insight on how IBM set up our LDAP server regarding password changes. Below is an example what we have, essentially the .sh script performs an ldapmodify operation, using the ResetPW.ldif file.
What directory server are you running? The discussion so far has been assuming that you're using OpenLDAP. IBM's directory server may have different requirements.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.symas.com&d=DwIC... >
--On Monday, September 21, 2020 11:40 PM +0000 "CLARKE, ED C" ec4397@att.com wrote:
Hello Quanah,
I am using OpenLDAP, on an IBM LinuxONE server, IBM just helped with the setup. I also was able to test the below on my other ldap server & it performed as expected & changed the password.
Ok, thanks.
dn:uid=foxdiv,ou=People,dc=att,dc=com
So this shows the LDAP password change for this user was successful in the LDAP server on pdprfdl4.dadc.sbc.com
dn:uid=foxdiv,ou=People,dc=att,dc=com
So this shows the LDAP password change for this user was successful in the LDAP server on pdprfsl4.sldc.sbc.com
This would show that the LDAP servers are working correctly, and password modifications to each LDAP server is working correctly. The issue then between the OS and the integration software being used (SSSD etc).
As an aside, I would note that OpenLDAP 2.4.44 is extremely old. I do see that you're using an S390 mainframe, so I'm guessing your options are currently limited in regards to upgrading to a current release. If it ever becomes an issue (i.e., if your setup is doing replication which I would strongly advise against doing with 2.4.44), Symas could provide assistance in this area. Our CTO (who is also the chief architect of the OpenLDAP project) did the original S390 port of OpenLDAP, so we're quite familiar and can provide support for such a build.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Hello Quanah,
Thank you very much, I really appreciate the help. I look forward to it.
Thanks, Ed
-----Original Message----- From: Quanah Gibson-Mount quanah@symas.com Sent: Tuesday, September 22, 2020 4:18 PM To: CLARKE, ED C ec4397@att.com; openldap-technical@openldap.org Subject: RE: Issues with resetting user password
--On Monday, September 21, 2020 11:40 PM +0000 "CLARKE, ED C" ec4397@att.com wrote:
Hello Quanah,
I am using OpenLDAP, on an IBM LinuxONE server, IBM just helped with the setup. I also was able to test the below on my other ldap server & it performed as expected & changed the password.
Ok, thanks.
dn:uid=foxdiv,ou=People,dc=att,dc=com
So this shows the LDAP password change for this user was successful in the LDAP server on pdprfdl4.dadc.sbc.com
dn:uid=foxdiv,ou=People,dc=att,dc=com
So this shows the LDAP password change for this user was successful in the LDAP server on pdprfsl4.sldc.sbc.com
This would show that the LDAP servers are working correctly, and password modifications to each LDAP server is working correctly. The issue then between the OS and the integration software being used (SSSD etc).
As an aside, I would note that OpenLDAP 2.4.44 is extremely old. I do see that you're using an S390 mainframe, so I'm guessing your options are currently limited in regards to upgrading to a current release. If it ever becomes an issue (i.e., if your setup is doing replication which I would strongly advise against doing with 2.4.44), Symas could provide assistance in this area. Our CTO (who is also the chief architect of the OpenLDAP project) did the original S390 port of OpenLDAP, so we're quite familiar and can provide support for such a build.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <https://urldefense.com/v3/__http://www.symas.com__;!!BhdT!3JCRikRm0DMkYlgYA2... >
Hello Quanah,
Regarding my architecture, we do have an IBM LinuxONE 2965L10 mainframe running RHEL 7, below is info from my LDAP server:
--- ec4397 Mon Sep 28 10:04:46 CDT 2020 pdprfsl4 /home/ec4397 --- $ hostnamectl Static hostname: pdprfsl4.sldc.sbc.com Icon name: computer-vm Chassis: vm Machine ID: 8c40a74b59284ef18968501372a64d4a Boot ID: 2935e9ac179c49efad5c3d106c7ab3ef Virtualization: kvm Operating System: Red Hat Enterprise Linux CPE OS Name: cpe:/o:redhat:enterprise_linux:7.9:beta:server Kernel: Linux 4.14.0-115.21.2.el7a.s390x Architecture: s390x --- ec4397 Mon Sep 28 10:04:46 CDT 2020 pdprfsl4 /home/ec4397 --- $
Any help or suggestions would be greatly appreciated.
Thanks, Ed
-----Original Message----- From: Quanah Gibson-Mount quanah@symas.com Sent: Tuesday, September 22, 2020 4:18 PM To: CLARKE, ED C ec4397@att.com; openldap-technical@openldap.org Subject: RE: Issues with resetting user password
--On Monday, September 21, 2020 11:40 PM +0000 "CLARKE, ED C" ec4397@att.com wrote:
Hello Quanah,
I am using OpenLDAP, on an IBM LinuxONE server, IBM just helped with the setup. I also was able to test the below on my other ldap server & it performed as expected & changed the password.
Ok, thanks.
dn:uid=foxdiv,ou=People,dc=att,dc=com
So this shows the LDAP password change for this user was successful in the LDAP server on pdprfdl4.dadc.sbc.com
dn:uid=foxdiv,ou=People,dc=att,dc=com
So this shows the LDAP password change for this user was successful in the LDAP server on pdprfsl4.sldc.sbc.com
This would show that the LDAP servers are working correctly, and password modifications to each LDAP server is working correctly. The issue then between the OS and the integration software being used (SSSD etc).
As an aside, I would note that OpenLDAP 2.4.44 is extremely old. I do see that you're using an S390 mainframe, so I'm guessing your options are currently limited in regards to upgrading to a current release. If it ever becomes an issue (i.e., if your setup is doing replication which I would strongly advise against doing with 2.4.44), Symas could provide assistance in this area. Our CTO (who is also the chief architect of the OpenLDAP project) did the original S390 port of OpenLDAP, so we're quite familiar and can provide support for such a build.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <https://urldefense.com/v3/__http://www.symas.com__;!!BhdT!3JCRikRm0DMkYlgYA2... >
--On Monday, September 28, 2020 4:33 PM +0000 "CLARKE, ED C" ec4397@att.com wrote:
Any help or suggestions would be greatly appreciated.
Hi Ed,
If you mean help in regards to the issue you're facing with integration with LDAP, as I noted previously, the issue you are encountering does not appear to be with OpenLDAP at all, as password changes done via the ldappasswd command are correctly manifesting. The issue seems to be completely outside of LDAP, in that the server does not appear to actually be integrated with LDAP via something such as SSSD. You haven't actually stated what integration software is being used, so everything at this point is a guess. If it is SSSD, I would:
a) Compare the sssd configuration on the system that is working vs the one where it is not
b) Check the SSSD logs on both of those systems to see what they report
c) Compare the /etc/nsswitch.conf on both systems
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Hello Quanah,
I also tried a passwd command on one of my client servers to the ldap server that has the issue & received this error:
foxdiv@dvprfsl5.sldc.sbc.com's password: Last failed login: Mon Sep 21 17:02:24 CDT 2020 from 135.70.155.254 on ssh:notty There were 2 failed login attempts since the last successful login. Last login: Fri Aug 28 12:27:35 2020 from 135.70.140.195 [foxdiv@dvprfsl5 ~]$ passwd Changing password for user foxdiv. Current Password: System is offline, password change not possible passwd: Authentication token manipulation error [foxdiv@dvprfsl5 ~]$
Thanks, Ed
-----Original Message----- From: Quanah Gibson-Mount quanah@symas.com Sent: Monday, September 21, 2020 5:10 PM To: CLARKE, ED C ec4397@att.com; openldap-technical@openldap.org Subject: RE: Issues with resetting user password
--On Monday, September 21, 2020 10:28 PM +0000 "CLARKE, ED C" ec4397@att.com wrote:
Hello Quanah,
I appreciate your help, and I wanted to give you some insight on how IBM set up our LDAP server regarding password changes. Below is an example what we have, essentially the .sh script performs an ldapmodify operation, using the ResetPW.ldif file.
What directory server are you running? The discussion so far has been assuming that you're using OpenLDAP. IBM's directory server may have different requirements.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.symas.com&d=DwIC... >
Hello,
What type of configuration info do you need? I will send some copies. Regarding the ppolicy module, I do see scripts for it & we do have password policy in place. Below is a copy of ppolicyruleReplace.ldif:
$ cat ppolicyruleReplace.ldif # dn: cn=passwordDefault,ou=Policies,dc=att,dc=com changetype: modify replace: pwdMaxAge pwdMaxAge: 7776000 - replace: pwdMaxFailure pwdMaxFailure: 8 - replace: pwdFailureCountInterval pwdFailureCountInterval: 21600 - replace: pwdLockoutDuration pwdLockoutDuration: 1800 - replace: pwdExpireWarning pwdExpireWarning: 7776000 - replace: pwdGraceAuthNLimit pwdGraceAuthNLimit: 0 - replace: pwdMustChange pwdMustChange: TRUE
Here is a copy of my ldap.conf:
----- root pdprfsl4.sldc.sbc.com /etc/openldap ----- $ cat ldap.conf # # LDAP Defaults #
# See ldap.conf(5) for details # This file should be world readable but not world writable.
#BASE dc=example,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12 #TIMELIMIT 15 #DEREF never
TLS_CACERTDIR /etc/openldap/cacerts
# Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on URI ldap://pdprfsl4.sldc.sbc.com/ BASE dc=att,dc=com tls_checkpeer no
----- root pdprfsl4.sldc.sbc.com /etc/openldap -----
Thanks, Ed
-----Original Message----- From: Quanah Gibson-Mount quanah@symas.com Sent: Thursday, September 17, 2020 5:58 PM To: CLARKE, ED C ec4397@att.com; openldap-technical@openldap.org Subject: Re: Issues with resetting user password
--On Thursday, September 17, 2020 11:41 PM +0000 "CLARKE, ED C" ec4397@att.com wrote:
[Image: ""]
Hello,
I am new to this arena, I have a Open LDAP installed on my Linux server RHEL 7.8.
I am not able to reset user passwords, I have checked the systemctl status slapd.service And it is active & running.
Below is an example of the resetpw.ldif:
Are you using the ppolicy module? You've provided no information about your configuration.
The correct way to change a user password is to use an LDAPv3 password modify operation, not an ldapmodify change. See the ldappasswd(1) command.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.symas.com&d=DwIC... >
openldap-technical@openldap.org
-
CLARKE, ED C -
Clément OUDOT -
Quanah Gibson-Mount -
Sami Ait Ali Oulahcen