On Wed, Jan 4, 2017 at 10:51 AM, Peng Yu <[email protected]> wrote:
> Hi, > > I can use the following command to change the password in openldap > after I create an entry le. > > ~~~ > $ sudo ldapsetpasswd le > Changing password for user uid=le,ou=Users,dc=mydomain,dc=example > New Password: > Retype New Password: > Successfully set password for user uid=le,ou=Users,dc=mydomain,dc=example > ~~~ > > And I can see the userPassword field is changed upon calling the above > command. > > ~~~ > $ sudo ldapmodifyuser le > [sudo] password for pengy: > # About to modify the following entry : > dn: uid=le,ou=Users,dc=mydomain,dc=example > objectClass: account > objectClass: posixAccount > objectClass: shadowAccount > cn: le > uid: le > uidNumber: 10103 > gidNumber: 10002 > homeDirectory: /home/le > loginShell: /bin/bash > gecos: le > description: User account > shadowMax: 180 > shadowLastChange: 0 > userPassword:: e1NTSEF9VzZHdlFnTkdDMitzUk5BRStpMGMzcElVWG9hVTYzRjk= > > # Enter your modifications here, end with CTRL-D. > dn: uid=le,ou=Users,dc=mydomain,dc=example > Successfully modified user entry uid=le,ou=Users,dc=mydomain,dc=example > in LDAP > ~~~ > > (BTW, why whenever I run ldapsetpasswd to set the same password, the > userPassword field is set differently?) > > The userPassword field is changing because the system creates a new SSHA hash every time the password is set. > But the user le is not able to login to the servers (the servers > connected to openldap for authentication) with the new password. > > In /var/log/syslog of the openldap server (ubuntu), I see the following > lines. > > ~~~ > Jan 2 12:17:22 openldapserver slapd[1082]: conn=2884 fd=39 ACCEPT > from IP=172.17.1.6:51975 (IP=0.0.0.0:389) > Jan 2 12:17:22 openldapserver slapd[1082]: conn=2884 op=0 BIND dn="" > method=128 > Jan 2 12:17:22 openldapserver slapd[1082]: conn=2884 op=0 RESULT > tag=97 err=0 text= > Jan 2 12:17:22 openldapserver slapd[1082]: conn=2884 op=1 SRCH > base="dc=domain,dc=example" scope=2 deref=0 > filter="(&(&(|(host=\2A)(host=elnath))(!(host=!elnath)))(&(| > (host=\2A)(host=elnath))(!(host=!elnath)))(uid=le))" > Jan 2 12:17:22 openldapserver slapd[1082]: <= > bdb_equality_candidates: (host) not indexed > Jan 2 12:17:22 openldapserver slapd[1082]: message repeated 3 times: > [ <= bdb_equality_candidates: (host) not indexed] > Jan 2 12:17:22 openldapserver slapd[1082]: <= > bdb_equality_candidates: (uid) not indexed > Jan 2 12:17:22 openldapserver slapd[1082]: conn=2884 op=1 SEARCH > RESULT tag=101 err=0 nentries=0 text= > ~~~ > > The log here shows a successful BIND. The "(host) no indexed" entry is not an error, it is simply a message telling you that the "host" attribute is a candidate to be indexed for your BDB database. If you want that message to go away then add an equality index for host. > On the server to be logged in (named as elnath and is also a ubuntu > server), /var/log/auth.log has the following line. > > ~~~ > Jan 2 12:17:22 elnath sshd[21249]: Failed password for le from > xxx.xx.xx.xx port 57155 ssh2 > ~~~ > > Were you able to log into this server before changing the password? Do you have PAM setup on your client use LDAP as a login source? > I have tried to stop slapd service then run slapindex as root and then > start slapd service on the openldapserver. But it still does not work. > > Could anybody let me know how to fix this issue? Thanks. > > -- > Regards, > Peng > >
