Public bug reported: Package: sssd Version: 1.8.6-0ubuntu0.3 Severity: Critical
Sssd refuses to change user's password when ldap_pwd_policy is set to shadow
and LDAP server has disabled password policies support.
Changing ldap_pwd_policy to none in sssd.conf fixes the problem but
disables password expiration.
Enabling ppolicy module and configuring ppolicy overlay in slapd also
fixes the problem.
Conditions:
- sssd.conf settings:
id_provider = ldap
access_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_pwd_policy = shadow
- user has shadowAccount attributes,
- slapd has ppolicy module disabled,
- slapd has ppolicy overlay disabled.
sssd debug output
(Wed Jan 28 15:41:48 2015) [sssd[be[default]]] [sdap_pam_chpass_handler]
(0x0040): starting password change request for user [srj].
(Wed Jan 28 15:41:48 2015) [sssd[be[default]]] [fo_resolve_service_send]
(0x0100): Trying to resolve service 'LDAP_CHPASS'
(Wed Jan 28 15:41:48 2015) [sssd[be[default]]] [be_resolve_server_done]
(0x0200): Found address for server xxxx: [192.168.0.32] TTL 7200
(Wed Jan 28 15:41:48 2015) [sssd[be[default]]] [fo_set_port_status] (0x0100):
Marking port 636 of server 'xxxx' as 'working'
(Wed Jan 28 15:41:48 2015) [sssd[be[default]]] [set_server_common_status]
(0x0100): Marking server xxxx' as 'working'
(Wed Jan 28 15:41:48 2015) [sssd[be[default]]] [simple_bind_send] (0x0100):
Executing simple bind as: uid=srj,ou=People,dc=xx,dc=xx
(Wed Jan 28 15:41:48 2015) [sssd[be[default]]] [simple_bind_done] (0x0200):
Server returned no controls.
(Wed Jan 28 15:41:48 2015) [sssd[be[default]]] [simple_bind_done] (0x0080):
Bind result: Success(0), no errmsg set
(Wed Jan 28 15:41:48 2015) [sssd[be[default]]] [sdap_auth4chpass_done]
(0x0020): Changing shadow password attributes not implemented.
(Wed Jan 28 15:41:48 2015) [sssd[be[default]]] [be_pam_handler_callback]
(0x0100): Backend returned: (3, 28, <NULL>) [Internal Error (Module is unknown)]
(Wed Jan 28 15:41:48 2015) [sssd[be[default]]] [be_pam_handler_callback]
(0x0100): Sending result [28][default]
slapd debug output:
> slap_access_allowed: read access granted by read(=rscxd)
>
>
>
>
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result was in cache (memberUid)
=> access_allowed: result was in cache (memberUid)
=> access_allowed: result was in cache (memberUid)
=> access_allowed: result was in cache (memberUid)
=> access_allowed: result was in cache (memberUid)
=> access_allowed: result was in cache (memberUid)
=> access_allowed: result was in cache (memberUid)
=> access_allowed: result was in cache (memberUid)
=> access_allowed: result was in cache (memberUid)
=> access_allowed: result was in cache (memberUid)
=> access_allowed: result was in cache (memberUid)
=> access_allowed: result not in cache (modifyTimestamp)
=> access_allowed: read access to "cn=hamiltonbh,ou=Group,dc=thermeon,dc=eu"
"modifyTimestamp" requested
=> dn: [3]
=> acl_get: [4] attr modifyTimestamp
=> acl_mask: access to entry "cn=hamiltonbh,ou=Group,dc=xxx,dc=eu", attr
"modifyTimestamp" requested
=> acl_mask: to value by "cn=view,dc=xxx,dc=eu", (=0)
<= check a_dn_pat: cn=admin,dc=xxx,dc=eu
<= check a_dn_pat: cn=root,dc=xxx,dc=eu
<= check a_dn_pat: cn=root2,dc=xxx,dc=eu
<= check a_dn_pat: cn=view,dc=xxx,dc=eu
<= acl_mask: [4] applying read(=rscxd) (stop)
<= acl_mask: [4] mask: read(=rscxd)
=> slap_access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1
=> access_allowed: result not in cache (userPassword)
=> access_allowed: auth access to "uid=srj,ou=People,dc=xxx,dc=eu"
"userPassword" requested
=> acl_get: [2] attr userPassword
=> acl_mask: access to entry "uid=srj,ou=People,dc=xxx,dc=eu", attr
"userPassword" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: cn=admin,dc=xxx,dc=eu
<= check a_dn_pat: cn=root,dc=xxx,dc=eu
<= check a_dn_pat: cn=root2,dc=xxx,dc=eu
<= check a_dn_pat: uid=nobody,ou=people,dc=xxx,dc=eu
<= check a_dn_pat: anonymous
<= acl_mask: [5] applying auth(=xd) (stop)
<= acl_mask: [5] mask: auth(=xd)
=> slap_access_allowed: auth access granted by auth(=xd)
=> access_allowed: auth access granted by auth(=xd)
=> access_allowed: result not in cache (userPassword)
=> access_allowed: auth access to "cn=root2,dc=xxx,dc=eu" "userPassword"
requested
=> acl_get: [2] attr userPassword
=> acl_mask: access to entry "cn=root2,dc=xxx,dc=eu", attr "userPassword"
requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: cn=admin,dc=xxx,dc=eu
<= check a_dn_pat: cn=root,dc=xxx,dc=eu
<= check a_dn_pat: cn=root2,dc=xxx,dc=eu
<= check a_dn_pat: uid=nobody,ou=people,dc=xxx,dc=eu
<= check a_dn_pat: anonymous
<= acl_mask: [5] applying auth(=xd) (stop)
<= acl_mask: [5] mask: auth(=xd)
=> slap_access_allowed: auth access granted by auth(=xd)
=> access_allowed: auth access granted by auth(=xd)
=> access_allowed: search access to "dc=xxx,dc=eu" "entry" requested
** Affects: sssd (Ubuntu)
Importance: Undecided
Status: New
** Affects: sssd (Debian)
Importance: Unknown
Status: Unknown
** Bug watch added: Debian Bug tracker #645929
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=645929
** Also affects: sssd (Debian) via
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=645929
Importance: Unknown
Status: Unknown
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1415545
Title:
Cannot change LDAP password when ldap_pwd_policy=shadow
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1415545/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
