Re: rootpwmoddn seems not be working properly
[Date Prev][Date Next] [Thread Prev][Thread Next]Re: rootpwmoddn seems not be working properly
- From: Erico Fusco <ericopfusco [at] gmail.com>
- To: nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: rootpwmoddn seems not be working properly
- Date: Sun, 2 Nov 2014 22:17:27 -0200
On 2 November 2014 10:25, Arthur de Jong <arthur [at] arthurdejong.org> wrote:
- first as administrator without a password (to see if nslcd has
rootpwmoddn and rootpwmodpw set)
Isn't possible to get the parameters in the first place and make the bind with rootpwmoddn and rootpwmodpw ? If I have rootpwdmoddn and rootpwmodpw set it doesn't seem right to ask for LDAP password again.
Until someone can suggest a good search to perform after authentication
I'm afraid we're stuck with having to have the rootpwmoddn be a real
entry in LDAP.
I believe search the base with base scope is the safest search to use. From my example would be: ldapsearch -b "dc=epf-mac" -s base
# extended LDIF
#
# LDAPv3
# base <dc=epf-mac> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
# ...
Érico Fusco
On 2 November 2014 10:25, Arthur de Jong <arthur [at] arthurdejong.org> wrote:
On Sat, 2014-11-01 at 17:34 -0200, Erico Fusco wrote:
> passwd prompts "LDAP Administrator password:", but nslcd tries to bind
> without a password before typing it, if I use rootpwmodpw bind is okay
> but it still asks for LDAP admin password. The log below is when used
> without rootpwmodpw.
The PAM module will try authenticating two times when changing another
user's password. From the point of the PAM module:
- first as administrator without a password (to see if nslcd has
rootpwmoddn and rootpwmodpw set)
- on failure prompt for a password (LDAP administrator password) and try
as administrator with that password
This can result in two authc="" calls in nslcd (empty username is
interpreted as authenticate with rootpwmoddn and empty password is
interpreted as rootpwmodpw if the caller is root).
> After I type the password the bind is done correctly but the base used
> is "roopwdmoddn" with no proper filter, I guess it should search on
> base passwd with a correct filter (using uid for example). Maybe this
> query is related to authentication still ? My rootdn and rootpw is
> only on slapd.conf.
[...]
> nslcd: [d062c2] <authc=""> DEBUG: nslcd_pam_authc("","passwd","***")
> nslcd: [d062c2] <authc=""> DEBUG: myldap_search(base="cn=admin,dc=epf-mac", filter="(objectClass=*)")
> nslcd: [d062c2] <authc=""> DEBUG: ldap_sasl_bind("cn=admin,dc=epf-mac","***") (uri="ldaps://127.0.0.1/")
> nslcd: [d062c2] <authc=""> ldap_result() failed: No such object
> nslcd: [d062c2] <authc=""> cn=admin,dc=epf-mac: No such object
As a precaution nslcd will perform a search after the BIND to ensure
that the BIND is successful. Some LDAP servers do not return the correct
error code at BIND but the error is only found after search.
Since your rootdn does not exist in the directory, the search fails (and
as a result authentication fails).
In theory we could replace the search with any other search as long as
it returns an entry after BIND. For normal users this should be the user
object itself but for administrators some other search could be
performed. We could for example request basedn but I've also seen
directories where that does not exist (I think when using the meta
backend).
The user uid for which the password is changed is not available in the
administrator authentication request (only information in nslcd.conf and
things logged on the nslcd_pam_authc line).
Until someone can suggest a good search to perform after authentication
I'm afraid we're stuck with having to have the rootpwmoddn be a real
entry in LDAP.
Thanks,
--
-- arthur - arthur [at] arthurdejong.org - http://arthurdejong.org/ --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe [at] lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/
-- To unsubscribe send an email to nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see http://lists.arthurdejong.org/nss-pam-ldapd-users/
- rootpwmoddn seems not be working properly,
Erico Fusco
- Re: rootpwmoddn seems not be working properly,
Arthur de Jong
- Re: rootpwmoddn seems not be working properly, Nathan Stratton Treadway
- Re: rootpwmoddn seems not be working properly, Erico Fusco
- Re: rootpwmoddn seems not be working properly, Arthur de Jong
- Re: rootpwmoddn seems not be working properly,
Arthur de Jong
- Prev by Date: Re: rootpwmoddn seems not be working properly
- Next by Date: Re: rootpwmoddn seems not be working properly
- Previous by thread: Re: rootpwmoddn seems not be working properly
- Next by thread: Re: rootpwmoddn seems not be working properly