Your message dated Thu, 12 May 2011 18:24:16 +0200
with message-id <[email protected]>
and subject line Re: Bug#617322: nslcd fails to follow referral on password
change
has caused the Debian Bug report #617322,
regarding nslcd fails to follow referral on password change
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
617322: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=617322
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: nslcd
Version: 0.7.13
Severity: normal
The passwd command is failing when consumer (slave) ldap servers are
specified before provider (master) ldap servers in nslcd.conf.
CLI:
username@host:/tmp$ passwd
Enter current password:
You can now choose the new password or passphrase.
A valid password should be a mix of upper and lower case letters,
digits, and other characters. You can use a 9 character long
password with characters from at least 3 of these 4 classes, or
an 8 character long password containing characters from all the
classes. An upper case letter that begins the password and a
digit that ends it do not count towards the number of character
classes used.
A passphrase should be of at least 4 words, 12 to 40 characters
long, and contain enough different characters.
Enter new password:
Re-type new password:
Referral
passwd: User not known to the underlying authentication module
passwd: password unchanged
Syslog:
2011-03-07T16:28:12-08:00 host authpriv debug passwd passwd[23236]:
pam_ldap(passwd:chauthtok): nslcd authentication; user=username
2011-03-07T16:28:12-08:00 host authpriv debug passwd passwd[23236]:
pam_ldap(passwd:chauthtok): authentication succeeded
2011-03-07T16:28:17-08:00 host authpriv debug passwd passwd[23236]:
pam_ldap(passwd:chauthtok): nslcd password modify; user=username
2011-03-07T16:28:17-08:00 host authpriv notice passwd passwd[23236]:
pam_ldap(passwd:chauthtok): password change failed: Referral; user=username
2011-03-07T16:28:17-08:00 host authpriv debug passwd passwd[23236]:
pam_unix(passwd:chauthtok): user "username" does not exist in /etc/passwd
2011-03-07T16:28:17-08:00 host daemon warning nslcd nslcd[22889]: [5558ec]
ldap_start_tls_s() failed: Local error (uri="ldaps://ldapmaster.my.tld:636")
2011-03-07T16:28:17-08:00 host daemon err nslcd nslcd[22889]: [5558ec]
ldap_passwd_s() without old password failed: Referral
2011-03-07T16:28:17-08:00 host daemon warning nslcd nslcd[22889]: [5558ec]
ldap_start_tls_s() failed: Local error (uri="ldaps://ldapmaster.my.tld:636")
2011-03-07T16:28:17-08:00 host daemon err nslcd nslcd[22889]: [5558ec]
ldap_passwd_s() with old password failed: Referral
The workaround is to modify nslcd.conf and list the provider (master) server
first.
In both cases nslcd.conf contains the line:
referrals yes
-- System Information:
Debian Release: 6.0
APT prefers stable
APT policy: (900, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages nslcd depends on:
ii adduser 3.112+nmu2 add and remove users and groups
ii debconf [debconf-2.0] 1.5.36.1 Debian configuration management sy
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libgssapi-krb5-2 1.8.3+dfsg-4 MIT Kerberos runtime libraries - k
ii libldap-2.4-2 2.4.23-7 OpenLDAP libraries
Versions of packages nslcd recommends:
ii libnss-ldapd [libnss-ldap] 0.7.13 NSS module for using LDAP as a nam
ii libpam-ldapd [libpam-ldap] 0.7.13 PAM module for using LDAP as an au
ii nscd 2.11.2-10 Embedded GNU C Library: Name Servi
Versions of packages nslcd suggests:
pn kstart <none> (no description available)
-- debconf-show failed
--- End Message ---
--- Begin Message ---
On Wed, 2011-05-11 at 18:21 -0700, Chris Hiestand wrote:
> Actually it does work!
Ok, good to hear. Turns out I was missing "referrals yes" in my test
set-up that's why it didn't work for me.
Anyway, good to know this is supported.
--
-- arthur - [email protected] - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part
--- End Message ---
