RSS feed

Re: rootpwmoddn seems not be working properly

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: rootpwmoddn seems not be working properly

On Sat, 2014-11-01 at 17:34 -0200, Erico Fusco wrote:
> passwd prompts "LDAP Administrator password:", but nslcd tries to bind
> without a password before typing it, if I use rootpwmodpw bind is okay
> but it still asks for LDAP admin password. The log below is when used
> without rootpwmodpw.

The PAM module will try authenticating two times when changing another
user's password. From the point of the PAM module:
- first as administrator without a password (to see if nslcd has
  rootpwmoddn and rootpwmodpw set)
- on failure prompt for a password (LDAP administrator password) and try
  as administrator with that password

This can result in two authc="" calls in nslcd (empty username is
interpreted as authenticate with rootpwmoddn and empty password is
interpreted as rootpwmodpw if the caller is root).

> After I type the password the bind is done correctly but the base used
> is "roopwdmoddn" with no proper filter, I guess it should search on
> base passwd with a correct filter (using uid for example). Maybe this
> query is related to authentication still ? My rootdn and rootpw is
> only on slapd.conf.
> nslcd: [d062c2] <authc=""> DEBUG: nslcd_pam_authc("","passwd","***")
> nslcd: [d062c2] <authc=""> DEBUG: myldap_search(base="cn=admin,dc=epf-mac", 
> filter="(objectClass=*)")
> nslcd: [d062c2] <authc=""> DEBUG: ldap_sasl_bind("cn=admin,dc=epf-mac","***") 
> (uri="ldaps://")
> nslcd: [d062c2] <authc=""> ldap_result() failed: No such object
> nslcd: [d062c2] <authc=""> cn=admin,dc=epf-mac: No such object

As a precaution nslcd will perform a search after the BIND to ensure
that the BIND is successful. Some LDAP servers do not return the correct
error code at BIND but the error is only found after search.

Since your rootdn does not exist in the directory, the search fails (and
as a result authentication fails).

In theory we could replace the search with any other search as long as
it returns an entry after BIND. For normal users this should be the user
object itself but for administrators some other search could be
performed. We could for example request basedn but I've also seen
directories where that does not exist (I think when using the meta

The user uid for which the password is changed is not available in the
administrator authentication request (only information in nslcd.conf and
things logged on the nslcd_pam_authc line).

Until someone can suggest a good search to perform after authentication
I'm afraid we're stuck with having to have the rootpwmoddn be a real
entry in LDAP.


-- arthur - - --
To unsubscribe send an email to or see