lists.arthurdejong.org
RSS feed

Re: Password problem

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Password problem



On Fri, 2013-11-01 at 10:46 +0100, Olivier Hoarau wrote:
> I understand that I have to change the way the password are stored on
> the slapd server. I have tried to change from crypt to ssha, now when I make
> 
> getent shadow lena
> 
> I get
> 
> lena:{SSHA}renpwB8SX7LuxjLTgb+L8BWOfzhJTmEyZmNlR1JJTHJRNXlo:14855::99999::::0
> 
> but the su also failed

For bind authentication the shadow output is not used (and the
userPassword mapping is no longer needed).

For some reason the BIND still fails on the LDAP server:

> conn=1007 fd=20 ACCEPT from IP=192.168.0.27:58616 (IP=0.0.0.0:389)
> conn=1007 op=0 BIND dn="uid=lena,ou=People,dc=kervao,dc=fr" method=128
> conn=1007 op=0 RESULT tag=97 err=49 text=
[...]
> nslcd: [2dba31] <authc="lena"> DEBUG: failed to bind to LDAP server 
> ldap://192.168.0.9/: Invalid credentials

Can you login with this:

ldapsearch -H ldap://192.168.0.9/ -x -W \
  -D 'uid=lena,ou=People,dc=kervao,dc=fr' \
  -b 'uid=lena,ou=People,dc=kervao,dc=fr' \
  '(objectclass=*)' dn

it rules out issues in the PAM and NSS stacks as it goes directly to
your LDAP server.

You should be able to use slappasswd to generate a usable password hash
or use ldappasswd to set a password that the LDAP server supports:

ldappasswd -H ldap://192.168.0.9/ -x -W -S \
  -D 'cn=Manager,dc=kervao,dc=fr' \
  'uid=lena,ou=People,dc=kervao,dc=fr'

Hope this helps.

Btw, in the slapd output it complains about a missing index on uid. You
could add it, stop slapd, reindex the DB (and re-fix the permissions)
and start slapd again. I've seen a few cases where a misbehaving
database results in weird data being returned.

Thanks,

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --
-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/