Re: openldap password fails to update

Sat, 08 Mar 2014 10:18:25 -0800 

Le samedi 8 mars 2014, 17:21:26 Stéphane Guedon a écrit :
> Le samedi 8 mars 2014, 09:09:08 Matthew Weigel a écrit :
> > On Mar 8, 2014, at 6:29 AM, Stéphane Guedon
> 
> <[email protected]> wrote:
> > > Notably, the user fails to auth and do login (with openbsd login
> > > system AND webpages) eventhough password is correct according to
> > > ldap itself !
> > 
> > That's a lot more moving parts than just passwords in LDAP.
> 
> Yes, but passwords are the first things to change to secure your
> users/install.
> 
> I am currently working on  a little webpage in python to allow easy
> ldap management (add/remove users and groups, passwords update).
> 
> > Have you
> > checked your configuration of all those moving parts? Looked at
> > logs? You don't even mention what else you're using, much less how
> > they've been configured or what their logs report.
> 
> I am looking through logs and config since the beginning of the
> day... Actually, asking help on forums or mailing lists is always
> my last step in solving problems...
> 
> here is my config :
> 
> ####
> include         schema/core.schema
> include         schema/cosine.schema
> include         schema/inetorgperson.schema
> include         schema/misc.schema
> include         schema/nis.schema
> include         schema/openldap.schema
> 
> loglevel        256
> 
> pidfile         run/slapd.pid
> argsfile        run/slapd.args
> allow           bind_v2
> password-hash   {SHA}
> 
> ####################################################################
> ### # BDB database definitions
> ####################################################################
> ###
> 
> database        bdb
> suffix          "dc=22decembre,dc=eu"
> rootdn          "cn=admin,dc=22decembre,dc=eu"
> 
> access to dn.base="" by * read
> access to dn.base="cn=Subschema" by * read
> 
> #access to attrs=userpassword
> #      by self       write
> #       by anonymous  auth
> #      by *          none
> 
> #rootpw         secret
> rootpw          {SSHA}vdszl5a7z9UlAU6iHU0xlKJCY+Tpgmv+
> 
> # The database directory MUST exist prior to running slapd AND
> # should only be accessible by the slapd and slap tools.
> # Mode 700 recommended.
> directory       data
> # Indices to maintain
> index   objectClass     eq
> index   uid                     eq
> index   uidNumber               eq
> index   gidNumber               eq
> index   memberUid               eq
> index   homeDirectory           eq
> index   loginShell              eq
> index   cn,gn,mail              pres,eq,sub
> 
> ######
> 
> I have tried to disable all acl (so default policy : everything
> readable). But still no possible to logon.
> 
> Here is what I get when trying to using the login_ldap with
> debugging
> 
> 
> # /usr/local/libexec/auth/login_-ldap -d -s login stephane ldap
> Password:
> load_ssl_certs says:
>         cacert none
>         cacertdir none
>         usercert none
>         userkey none
> parse_server_line buf = localhost
> parse_server_line port == NULL, will use default
> parse_server_line mode == NULL, will use default
> host localhost, port 389, version 3
> setting cert info
> clearing ssl set
> connect success!
> set version to 3
> defaults:
>         basedn ou=users,dc=22decembre,dc=eu
>         binddn none
>         bindpw none
> set timeout sec 60, usec 60000
> set noref 0
> set keepcreds 0
> bind success!
> usearch:
>         ufilter (&(objectclass=posixAccount)(uid=stephane))
>         scope: sub
> 0: search (ou=users,dc=22decembre,dc=eu,
> (&(objectclass=posixAccount) (uid=stephane)))
> 1: msgid 0, type 64
> 1: SEARCH_ENTRY userdn uid=stephane,ou=users,dc=22decembre,dc=eu
> 1: msgid 1, type 65
> 1: returning userdn = uid=stephane,ou=users,dc=22decembre,dc=eu
> userdn uid=stephane,ou=users,dc=22decembre,dc=eu
> user bind failed, dn: uid=stephane,ou=users,dc=22decembre,dc=eu
> reject

when using the one in /usr/libexec/auth/login_... instead of 
/usr/local/libexec... it works !

and I can start ypldap !

But why can't I authenticate (using ssh or login) on the system ? Do I 
really have to go through ypldap ? Sounds not efficient to have an 
intermediate !

And still having problem with my php scripts, which I am debugging 
now.

Thanks for your help and answers. Please continue if you have any idea 
! :D

> 
> > I am using ypldap from base and login_ldap from ports; your
> > mileage
> > may vary.
> > 
> > > By the way, anybody use the light ldapd daemon included in base
> > > ?
> > > can we update password with it ?
> > 
> > I use it. It does not currently support the modify password
> > extended operation (what ldappasswd relies on). I am working on a
> > patch for it but I haven't finished it and it requires a bit more
> > refactoring than just processing one new request.
> 
> Ok, so I think I will check ldapd from time to time...
> 
> > --
> > Matthew Weigel

Reply via email to