I've set up OpenLDAP 2.4.10 and have been using phpldapadmin for user management. The machines in our QA environment are set up to allow LDAP users to log in, and they are also able to change their password via the passwd command. However, they are only able to do this once; if they attempt it again, it bounces back with "LDAP Password incorrect: try again". They are able to log out and in regardless, but passwd will not accept their password in order to change it. If the user's password is reset in phpldapadmin, again they are able to change the password once, and no more. There is no password policy configured in slapd; should there be?
I have loglevel set to 296, but i'm not sure what to look for.
thanks rone
On Thursday 17 July 2008 17:46:29 Ron Echeverri wrote:
I've set up OpenLDAP 2.4.10 and have been using phpldapadmin for user management. The machines in our QA environment are set up to allow LDAP users to log in, and they are also able to change their password via the passwd command. However, they are only able to do this once; if they attempt it again, it bounces back with "LDAP Password incorrect: try again". They are able to log out and in regardless, but passwd will not accept their password in order to change it. If the user's password is reset in phpldapadmin, again they are able to change the password once, and no more. There is no password policy configured in slapd; should there be?
Altough this is not an openldap problem, instead it has to do with your identities resolution and autenticaction and as you don't give enough details so we need to help you solve your problem I'm going to assume some things:
- You are using OpenLDAP in a LInux Distributión - You are managing the unix resolutión vía NSS_LDAP
How is your file /etc/ldap.conf??
Who is your ACLs section in your slapd.conf?
What messages do you see in your logs when a user tries to update his password?
I have loglevel set to 296, but i'm not sure what to look for.
What messages do you see in your logs when a user tries to update his password?
Are you using PAM?
thanks rone
I was trying to add an entry to this, and thought it was more wiki-like than it really was. Anyway, I've managed to mess up the layout, and my only choice now is to "Append to this answer", rather than being able to edit what was already there.
Is there a way of editing it, or can I request the deletion of the question "How Do I Export Active Directory into OpenLDAP to emulate the Outlook Global Address List?" so I can start again, and only paste in the content when I've finished arranging it locally?
Also, the email that is sent out when doing admin on your login (eg. password resets etc) doesn't have a full link in it. Eg, it says:
"Or access the following URL. Be careful when you copy and paste the URL that the line-break doesn't cut the URL short.
/faq/index.cgi?_id=....."
And seems to be missing the http://.... Part at the start.
Thanks,
Chris
Clemson, Chris (IHG) wrote:
I was trying to add an entry to this, and thought it was more wiki-like than it really was. Anyway, I've managed to mess up the layout, and my only choice now is to "Append to this answer", rather than being able to edit what was already there.
It's indeed wiki-like, although the UI really sucks.
Navigate to the FAQ article, click [Appearance], set "expert editing commands" to "Compact" or "Show", login, edit.
Ciao, Michael.
It's indeed wiki-like, although the UI really sucks.
Lol!
Navigate to the FAQ article, click [Appearance], set "expert editing commands" to "Compact" or "Show", login, edit.
Ah, that's great, thank you!
Chris
I've set up OpenLDAP 2.4.10 and have been using phpldapadmin for user management. The machines in our QA environment are set up to allow
LDAP
users to log in, and they are also able to change their password via
the
passwd command. However, they are only able to do this once; if they attempt it again, it bounces back with "LDAP Password incorrect: try again". They are able to log out and in regardless, but passwd will
not
accept their password in order to change it. If the user's password is reset in phpldapadmin, again they are able to change the password once, and no more.
I'd like to thank Kim Nguyen for giving me the solution to my problem: reconfiguring OpenLDAP with --enable-crypt (which, inexplicably, is off by default). Once i recompiled slapd, i was able to change passwords as often as i liked.
rone
Ron Echeverri wrote:
I've set up OpenLDAP 2.4.10 and have been using phpldapadmin for user management. The machines in our QA environment are set up to allow
LDAP
users to log in, and they are also able to change their password via
the
passwd command. However, they are only able to do this once; if they attempt it again, it bounces back with "LDAP Password incorrect: try again". They are able to log out and in regardless, but passwd will
not
accept their password in order to change it. If the user's password is reset in phpldapadmin, again they are able to change the password once, and no more.
I'd like to thank Kim Nguyen for giving me the solution to my problem: reconfiguring OpenLDAP with --enable-crypt (which, inexplicably, is off by default). Once i recompiled slapd, i was able to change passwords as often as i liked.
You shouldn't use {CRYPT} as password scheme in phpldapadmin. Its implementation may differ on different OS platforms (e.g. when running phpldapadmin on a different platform). This is a good reason for --enable-crypt being off by default. Use {SSHA} instead for new passwords and let old password age.
Ciao, Michael.
On Monday 21 July 2008 21:08:57 Ron Echeverri wrote:
I've set up OpenLDAP 2.4.10 and have been using phpldapadmin for user management. The machines in our QA environment are set up to allow
LDAP
users to log in, and they are also able to change their password via
the
passwd command. However, they are only able to do this once; if they attempt it again, it bounces back with "LDAP Password incorrect: try again". They are able to log out and in regardless, but passwd will
not
accept their password in order to change it. If the user's password is reset in phpldapadmin, again they are able to change the password once, and no more.
I'd like to thank Kim Nguyen for giving me the solution to my problem: reconfiguring OpenLDAP with --enable-crypt (which, inexplicably, is off by default). Once i recompiled slapd, i was able to change passwords as often as i liked.
Maybe you should rather use
pam_password exop
in /etc/ldap.conf, and ensure that you are using pam_ldap for authentication, and not nss_ldap->pam_unix which limits you to the insufficiently encrypted crypt hash.
Regards, Buchan
openldap-technical@openldap.org
-
Buchan Milne -
Clemson, Chris (IHG) -
Jorge Armando Medina -
Michael Ströder -
Ron Echeverri