change password ldap user

gettons · #1 13th April 2011, 08:32 PM

Hi all,

I have a problem with my fedora workstation.
I am trying to change my ldap user password through passwd command.
When I first create the user on ldap server, I use md5 and create the user password.

This is the entry:

Code:

dn: uid=boo,ou=People,dc=linux,dc=gettolandia,dc=org
uid: boo
cn: boo
objectclass: posixAccount
objectclass: inetOrgPerson
objectclass: shadowAccount
shadowMax: 999999
shadowWarning: 7
shadowLastChange: 10877
userPassword: {MD5}IKrpa9u8/J9z3VryD0DzEQ==
loginShell: /bin/bash
uidNumber: 9001
gidNumber: 9001
homeDirectory: /home/boo
gecos: boo
displayName: boo
mail: boo@boo.boo
givenName: boo
sn: boo

I have installed all the necessary packages on my fedora 64 bit desktop.
When I first try to change the password by doing the following I get prompted the current password and all goes well for setting up a new one.

Code:

boo@gettons-desktop:~$ passwd

But If I do that again, It does not recognize my actual password for some reasons.
Infact I get:

Code:

boo@gettons-desktop:~$ passwd 
Enter login(LDAP) password: 
LDAP Password incorrect: try again
Enter login(LDAP) password: 
Password change aborted
passwd: User not known to the underlying authentication module
passwd: password unchanged

Doing that with root user all goes well, I presume because It does not check the actual password while setting the new one up.

Interesting config file on the client:

Code:

boo@gettons-desktop:~$ cat /etc/login.defs
...
ENCRYPT_METHOD MD5
...

boo@gettons-desktop:~$ cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

Thanks in advance.

smr54 · #2 13th April 2011, 09:56 PM

I'm a bit confused--what user needs a password changed. The passwd command will change the command on the local machine. If you want to change the password that is defined in slapd.conf you use slappasswd (I think that's the name.)

My page at http://home.roadrunner.com/~computertaijutsu/ldap.html

covers change the password.

gettons · #3 13th April 2011, 10:05 PM

Hi,thanks for your reply.

What I need is get the user boo to change her password via passwd without
using any ldap command.
I know this can be done because I have seen this working at work, I have the very same configuration
files apart from ssl which is not used in my environment at the moment.

Also,the reason why I think It should be working is because the first time I change the
password it does work ( and I can login with the new password on other machines as well ), but the second time it doesn't and it ends up saying the password is not the right one.
also, if I do that with the root user doing
passwd boo
it does work and I can login with the new password to other machines.

Basically I would like to let the users change their password in the simplest way.

Thanks

gettons · #4 14th April 2011, 10:35 AM

I think I got confused when I did copy and paste from the terminal. The password doesn't look like the same. I did another test, still not working.

Removed the ldif files, stopped the server, imported the ldiff files, and started from scratch.
First, I set the user up in the ldif file:

Code:

dn: uid=boo,ou=People,dc=linux,dc=gettolandia,dc=org
uid: boo
cn: boo
objectclass: posixAccount
objectclass: inetOrgPerson
objectclass: shadowAccount
shadowMax: 999999
shadowWarning: 7
shadowLastChange: 10877
userPassword: {MD5}IKrpa9u8/J9z3VryD0DzEQ==
loginShell: /bin/bash
uidNumber: 9001
gidNumber: 9001
homeDirectory: /home/boo
gecos: boo
displayName: boo
mail: boo@yahoo.it
givenName: boo
sn: boo

then I can login with the password chosen on the client machine. And do:

Code:

# boo, People, linux.gettolandia.org
dn: uid=boo,ou=People,dc=linux,dc=gettolandia,dc=org
uid: boo
cn: boo
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: shadowAccount
shadowMax: 999999
shadowWarning: 7
shadowLastChange: 10877
userPassword:: e01ENX1JS3JwYTl1OC9KOXozVnJ5RDBEekVRPT0=
loginShell: /bin/bash
uidNumber: 9001
gidNumber: 9001
homeDirectory: /home/boo
gecos: boo
displayName: boo
mail: boo@yahoo.it
givenName: boo
sn: boo

Also running the following commands I get:

Code:

getent passwd
boo:x:9001:9001:boo:/home/boo:/bin/bash

getent shadow
boo:*:10877::999999:7:::

Then I change the password from user boo using the passwd command and I logout and login again on the client:
Then I issue the command:

Code:

dn: uid=boo,ou=People,dc=linux,dc=gettolandia,dc=org
uid: boo
cn: boo
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: shadowAccount
shadowMax: 999999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 9001
gidNumber: 9001
homeDirectory: /home/boo
gecos: boo
displayName: boo
email: boo@yahoo.it
givenName: boo
sn: boo
userPassword:: e2NyeXB0fSQxJDJmU21EcVVsJFB1MHd5ZzRmNlIvbzdwcmtERnFNcy4=

By having a look at the password, I notice that it's different:
python -c "import base64; print base64.b64decode('e01ENX1JS3JwYTl1OC9KOXozVnJ5RDBE ekVRPT0=')"
{MD5}IKrpa9u8/J9z3VryD0DzEQ==
python -c "import base64; print base64.b64decode('e2NyeXB0fSQxJDJmU21EcVVsJFB1MHd5 ZzRmNlIvbzdwcmtERnFNcy4=')"
{crypt}$1$2fSmDqUl$Pu0wyg4f6R/o7prkDFqMs.

It looks like it's using different encryption isnt'?

It's now that if I run passwd again that I get an error:

Code:

[boo@nassettone ~]$ passwd
Changing password for user boo.
Enter login(LDAP) password:
LDAP Password incorrect: try again
Enter login(LDAP) password:
LDAP Password incorrect: try again
Enter login(LDAP) password:
[boo@nassettone ~]$

If I run:

Code:

getent shadow now:
boo:$1$2fSmDqUl$Pu0wyg4f6R/o7prkDFqMs.:15078::999999:7:::