pwdReset problem in CentOS 7

[Date Prev][Date Next] [Thread Prev][Thread Next]
From: <nsspamldapd12 [at] iotti.biz>
To: <nss-pam-ldapd-users [at] lists.arthurdejong.org>
Subject: pwdReset problem in CentOS 7
Date: Mon, 7 Jan 2019 11:01:15 +0100
Hi all

I'm trying to add pwdReset support to a small ldap directory of my users: I
would simply like my users to be forced to change their passwords the first
time they login via ssh, after the admin set the temporary password for
them.
My directory is implemented on CentOS 7 with openldap-2.4.44. I upgraded
nss-pam-ldapd to 0.9.10 to better debug the problem I'm going to explain. I
recompiled the Fedora Rawhide rpm. I authenticate via PAM. The setup is
rather standard: LDAP support was enabled by running the RH tool authconfig
--enableldap --enableldapauth --ldapserver=127.0.0.1
--ldapbasedn="dc=test,dc=it" --enablemkhomedir --updateall .

As long as pwdReset is not used, or is FALSE, authentication is ok.
When I set pwdReset to TRUE, authentication is always denied, and no
password changing prompt is issued to the user.

I ran nslcd in debug mode. This is what happens when I type the password and
press return to the ssh client I use for my tests:

nslcd: [a7c4c9] DEBUG: connection from pid=19574 uid=0 gid=0
nslcd: [a7c4c9] <passwd="lux"> DEBUG: myldap_search(base="dc=test,dc=it",
filter="(&(objectClass=posixAccount)(uid=lux))")
nslcd: [a7c4c9] <passwd="lux"> DEBUG: ldap_result():
uid=lux,ou=Tecnici,ou=People,dc=test,dc=it
nslcd: [a7c4c9] <passwd="lux"> DEBUG: ldap_result(): end of results (1
total)
nslcd: [68079a] DEBUG: connection from pid=19574 uid=0 gid=0
nslcd: [68079a] <passwd="lux"> DEBUG: myldap_search(base="dc=test,dc=it",
filter="(&(objectClass=posixAccount)(uid=lux))")
nslcd: [68079a] <passwd="lux"> DEBUG: ldap_initialize(ldap://127.0.0.1/)
nslcd: [68079a] <passwd="lux"> DEBUG: ldap_set_rebind_proc()
nslcd: [68079a] <passwd="lux"> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [68079a] <passwd="lux"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [68079a] <passwd="lux"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [68079a] <passwd="lux"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [68079a] <passwd="lux"> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [68079a] <passwd="lux"> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [68079a] <passwd="lux"> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [68079a] <passwd="lux"> DEBUG: ldap_simple_bind_s(NULL,NULL)
(uri="ldap://127.0.0.1/";)
nslcd: [68079a] <passwd="lux"> DEBUG: ldap_result():
uid=lux,ou=Tecnici,ou=People,dc=test,dc=it
nslcd: [68079a] <passwd="lux"> DEBUG: ldap_result(): end of results (1
total)
nslcd: [6afb66] DEBUG: connection from pid=19574 uid=0 gid=0
nslcd: [6afb66] <passwd="lux"> DEBUG: myldap_search(base="dc=test,dc=it",
filter="(&(objectClass=posixAccount)(uid=lux))")
nslcd: [6afb66] <passwd="lux"> DEBUG: ldap_result():
uid=lux,ou=Tecnici,ou=People,dc=test,dc=it
nslcd: [6afb66] <passwd="lux"> DEBUG: ldap_result(): end of results (1
total)
nslcd: [e45d32] DEBUG: connection from pid=19574 uid=0 gid=0
nslcd: [e45d32] <authc="lux"> DEBUG: nslcd_pam_authc("lux","sshd","***")
nslcd: [e45d32] <authc="lux"> DEBUG: myldap_search(base="dc=test,dc=it",
filter="(&(objectClass=posixAccount)(uid=lux))")
nslcd: [e45d32] <authc="lux"> DEBUG: ldap_initialize(ldap://127.0.0.1/)
nslcd: [e45d32] <authc="lux"> DEBUG: ldap_set_rebind_proc()
nslcd: [e45d32] <authc="lux"> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [e45d32] <authc="lux"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [e45d32] <authc="lux"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [e45d32] <authc="lux"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [e45d32] <authc="lux"> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [e45d32] <authc="lux"> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [e45d32] <authc="lux"> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [e45d32] <authc="lux"> DEBUG: ldap_simple_bind_s(NULL,NULL)
(uri="ldap://127.0.0.1/";)
nslcd: [e45d32] <authc="lux"> DEBUG: ldap_result():
uid=lux,ou=Tecnici,ou=People,dc=test,dc=it
nslcd: [e45d32] <authc="lux"> DEBUG:
myldap_search(base="uid=lux,ou=Tecnici,ou=People,dc=test,dc=it",
filter="(objectClass=*)")
nslcd: [e45d32] <authc="lux"> DEBUG: ldap_initialize(ldap://127.0.0.1/)
nslcd: [e45d32] <authc="lux"> DEBUG: ldap_set_rebind_proc()
nslcd: [e45d32] <authc="lux"> DEBUG:
ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)
nslcd: [e45d32] <authc="lux"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)
nslcd: [e45d32] <authc="lux"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)
nslcd: [e45d32] <authc="lux"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)
nslcd: [e45d32] <authc="lux"> DEBUG:
ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)
nslcd: [e45d32] <authc="lux"> DEBUG:
ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON)
nslcd: [e45d32] <authc="lux"> DEBUG:
ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)
nslcd: [e45d32] <authc="lux"> DEBUG:
ldap_sasl_bind("uid=lux,ou=Tecnici,ou=People,dc=test,dc=it","***")
(uri="ldap://127.0.0.1/";) (ppolicy=yes)
nslcd: [e45d32] <authc="lux"> DEBUG: got LDAP_CONTROL_PASSWORDPOLICYRESPONSE
(Password must be changed)
nslcd: [e45d32] <authc="lux"> DEBUG:
myldap_search(base="uid=lux,ou=Tecnici,ou=People,dc=test,dc=it",
filter="(objectClass=*)")
nslcd: [e45d32] <authc="lux"> ldap_result() failed: Insufficient access:
Operations are restricted to bind/unbind/abandon/StartTLS/modify password
nslcd: [e45d32] <authc="lux"> uid=lux,ou=Tecnici,ou=People,dc=test,dc=it:
Insufficient access
nslcd: [e45d32] <authc="lux"> uid=lux,ou=Tecnici,ou=People,dc=test,dc=it:
Password must be changed
nslcd: [e45d32] <authc="lux"> DEBUG: ldap_unbind()

It seems that after the sasl bind, a search is always preformed, but since
pwdReset is true, this is not allowed.
From what I can understand, this is independent from my ACL, which are
default and are so:

olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=test
 ,dc=it" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=test,dc=it" write by * read

Is there something I'm missing to be able to use pwdReset?

Thank you, Luigi





-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/
pwdReset problem in CentOS 7, nsspamldapd12
Prev by Date: nslcd <passwd(all)> ldap_result() failed: Administrative limit exceeded
Next by Date: R: pwdReset problem in CentOS 7
Previous by thread: nslcd <passwd(all)> ldap_result() failed: Administrative limit exceeded
Next by thread: R: pwdReset problem in CentOS 7