rootpwmoddn seems not be working properly

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Erico Fusco <ericopfusco [at] gmail.com>
To: nss-pam-ldapd-users [at] lists.arthurdejong.org
Subject: rootpwmoddn seems not be working properly
Date: Sat, 1 Nov 2014 17:34:24 -0200

I tried to use rootpwmoddn to change a user password but it seems it's querying LDAP with incorrect parameters and binding twice.

I'd like to confirm if this is really a bug or if I'm missing something.

I'm using nslcd 0.9.4 on Ubuntu 14.04.1

My nsswitch and PAM configuration is the same as described at http://arthurdejong.org/nss-pam-ldapd/setup

/etc/nslcd.conf
---
base dc=epf-mac
rootpwmoddn cn=admin,dc=epf-mac
base group ou=Groups,dc=epf-mac
base passwd ou=People,dc=epf-mac
base shadow ou=People,dc=epf-mac
---

I have only one user (cn=ericol,ou=People,dc=epf-mac)

# passwd ericol

passwd prompts "LDAP Administrator password:", but nslcd tries to bind without a password before typing it, if I use rootpwmodpw bind is okay but it still asks for LDAP admin password. The log below is when used without rootpwmodpw.

nslcd: [334873] <authc=""> DEBUG: ldap_sasl_bind("cn=admin,dc=epf-mac","") (uri="ldaps://127.0.0.1/")
nslcd: [334873] <authc=""> DEBUG: set_socket_timeout(10,500000)
nslcd: [334873] <authc=""> DEBUG: ldap_parse_result() result: Server is unwilling to perform: unauthenticated bind (DN with no password) disallowed
nslcd: [334873] <authc=""> DEBUG: failed to bind to LDAP server ldaps://127.0.0.1/: Server is unwilling to perform: unauthenticated bind (DN with no password) disallowed
nslcd: [b141f2] <authc=""> DEBUG: set_socket_timeout(5,0)
nslcd: [b141f2] <authc=""> DEBUG: ldap_unbind()
nslcd: [b141f2] <authc=""> cn=admin,dc=epf-mac: Server is unwilling to perform

--------------

After I type the password the bind is done correctly but the base used is "roopwdmoddn" with no proper filter, I guess it should search on base passwd with a correct filter (using uid for example). Maybe this query is related to authentication still ? My rootdn and rootpw is only on slapd.conf.

nslcd: [d062c2] DEBUG: connection from pid=2163 uid=0 gid=0
nslcd: [d062c2] <authc=""> DEBUG: nslcd_pam_authc("","passwd","***")
nslcd: [d062c2] <authc=""> DEBUG: myldap_search(base="cn=admin,dc=epf-mac", filter="(objectClass=*)")
nslcd: [d062c2] <authc=""> DEBUG: ldap_initialize(ldaps://127.0.0.1/)
nslcd: [d062c2] <authc=""> DEBUG: ldap_set_rebind_proc()
nslcd: [d062c2] <authc=""> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [d062c2] <authc=""> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [d062c2] <authc=""> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,10)
nslcd: [d062c2] <authc=""> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,10)
nslcd: [d062c2] <authc=""> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,10)
nslcd: [d062c2] <authc=""> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [d062c2] <authc=""> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [d062c2] <authc=""> DEBUG: ldap_set_option(LDAP_OPT_X_TLS,LDAP_OPT_X_TLS_HARD)
nslcd: [d062c2] <authc=""> DEBUG: ldap_sasl_bind("cn=admin,dc=epf-mac","***") (uri="ldaps://127.0.0.1/")
nslcd: [d062c2] <authc=""> DEBUG: set_socket_timeout(10,500000)
nslcd: [d062c2] <authc=""> ldap_result() failed: No such object
nslcd: [d062c2] <authc=""> cn=admin,dc=epf-mac: No such object
nslcd: [d062c2] <authc=""> DEBUG: set_socket_timeout(5,0)
nslcd: [d062c2] <authc=""> DEBUG: ldap_unbind()

OpenLDAP log for the bind and query shown above.

Nov 1 18:50:56 ubuntu01 slapd[1098]: conn=1061 fd=39 ACCEPT from IP=127.0.0.1:43912 (IP=0.0.0.0:636)
Nov 1 18:50:56 ubuntu01 slapd[1098]: conn=1061 fd=39 TLS established tls_ssf=256 ssf=256
Nov 1 18:50:56 ubuntu01 slapd[1098]: conn=1061 op=0 BIND dn="cn=admin,dc=epf-mac" method=128
Nov 1 18:50:56 ubuntu01 slapd[1098]: conn=1061 op=0 BIND dn="cn=admin,dc=epf-mac" mech=SIMPLE ssf=0
Nov 1 18:50:56 ubuntu01 slapd[1098]: conn=1061 op=0 RESULT tag=97 err=0 text=
Nov 1 18:50:56 ubuntu01 slapd[1098]: connection_input: conn=1061 deferring operation: binding
Nov 1 18:50:56 ubuntu01 slapd[1098]: conn=1061 op=1 SRCH base="cn=admin,dc=epf-mac" scope=0 deref=0 filter="(objectClass=*)"
Nov 1 18:50:56 ubuntu01 slapd[1098]: conn=1061 op=1 SRCH attr=dn
Nov 1 18:50:56 ubuntu01 slapd[1098]: conn=1061 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
Nov 1 18:50:56 ubuntu01 slapd[1098]: conn=1061 op=2 ABANDON msg=2
Nov 1 18:50:56 ubuntu01 slapd[1098]: conn=1061 op=3 UNBIND
Nov 1 18:50:56 ubuntu01 slapd[1098]: conn=1061 fd=39 closed

Thanks,

Érico Fusco

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/

rootpwmoddn seems not be working properly, Erico Fusco

Re: rootpwmoddn seems not be working properly, Arthur de Jong
- Re: rootpwmoddn seems not be working properly, Nathan Stratton Treadway
- Re: rootpwmoddn seems not be working properly, Erico Fusco
  - Re: rootpwmoddn seems not be working properly, Arthur de Jong

Prev by Date: Re: How can i filter specific users from querying ldap server?
Next by Date: Re: rootpwmoddn seems not be working properly
Previous by thread: Re: How can i filter specific users from querying ldap server?
Next by thread: Re: rootpwmoddn seems not be working properly