I've got openLDAP running and installed the pam and nss libraries so it would also control the Linux passwords. I'm trying to sign onto my server using ssh - but once I enter my username and password, I get
WARNING: Your password has expired. You must change your password now and login again! Enter login(LDAP) password:
Now being a bad security person, I always use the exact same username / password combination and they don't work.
If a use either nothing (just hit Enter) or if I put in the standard password I get
passwd: Authentication information cannot be recovered passwd: password unchanged Connection to ubuntu closed.
If I enter in some nonsensical string I get
LDAP Password incorrect: try again Enter login(LDAP) password:
However, that is the only root level user on the machine and I have TONS of stuff on it. How do I fix? Is this an openLDAP issue or something else?
Thanks
You probably don't have the slapd ACLs configured so clients can read the necessary shadow fields... particularly those governing password age (e.g., shadowLastChange, shadowMax).
On Tue, Jul 28, 2009 at 5:52 AM, mlb@imparisystems.com wrote:
I've got openLDAP running and installed the pam and nss libraries so it would also control the Linux passwords. I'm trying to sign onto my server using ssh - but once I enter my username and password, I get
WARNING: Your password has expired. You must change your password now and login again! Enter login(LDAP) password:
Now being a bad security person, I always use the exact same username / password combination and they don't work.
If a use either nothing (just hit Enter) or if I put in the standard password I get
passwd: Authentication information cannot be recovered passwd: password unchanged Connection to ubuntu closed.
If I enter in some nonsensical string I get
LDAP Password incorrect: try again Enter login(LDAP) password:
However, that is the only root level user on the machine and I have TONS of stuff on it. How do I fix? Is this an openLDAP issue or something else?
Thanks
Thanks Matt -
With your hint, I was able to start digging around and found out that the problem was with pam - I ended up going into /etc/pam.d/common-password and change
password sufficient pam_ldap.so use_first_pass password sufficient pam_ldap.so
Not quite sure what it does - but it works and I'll read the man pam pages later
On Tue, 2009-07-28 at 07:21 -0600, Matt Kassawara wrote:
You probably don't have the slapd ACLs configured so clients can read the necessary shadow fields... particularly those governing password age (e.g., shadowLastChange, shadowMax).
On Tue, Jul 28, 2009 at 5:52 AM, mlb@imparisystems.com wrote:
I've got openLDAP running and installed the pam and nss libraries so it would also control the Linux passwords. I'm trying to sign onto my server using ssh - but once I enter my username and password, I get WARNING: Your password has expired. You must change your password now and login again! Enter login(LDAP) password: Now being a bad security person, I always use the exact same username / password combination and they don't work. If a use either nothing (just hit Enter) or if I put in the standard password I get passwd: Authentication information cannot be recovered passwd: password unchanged Connection to ubuntu closed. If I enter in some nonsensical string I get LDAP Password incorrect: try again Enter login(LDAP) password: However, that is the only root level user on the machine and I have TONS of stuff on it. How do I fix? Is this an openLDAP issue or something else? Thanks
openldap-technical@openldap.org
-
Matt Burkhardt -
Matt Kassawara -
mlb@imparisystems.com