LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 04-12-2011, 11:20 AM   #1
gettons1980
LQ Newbie
 
Registered: Jun 2008
Posts: 21

Rep: Reputation: 0
changing ldap password from client machine


Hi all,


I have been playing a bit with openldap on my router with openwrt Backfire 10.03.1-rc4 on it.
It has a package already compiled, the drawback is that the database is ldif type only ( because of the hardware, being just a broadband router ).

Firstly on my server I configured slapd.conf
Quote:

access to *
by self write
by anonymous read
by dn="cn=Manager,dc=linux,dc=gettolandia,dc=org" write
by * read
and then I started building the 3 ldif files against which, in turn, I run
ldapadd -x -D "cn=Manager,dc=linux,dc=gettolandia,dc=org" -W -f base.ldif
ldapadd -x -D "cn=Manager,dc=linux,dc=example,dc=org" -W -f users.ldif
ldapadd -x -D "cn=Manager,dc=linux,dc=example,dc=org" -W -f groups.ldif

An example from users.ldif is the following one:

Quote:


dn: uid=boo,ou=People,dc=linux,dc=gettolandia,dc=org
uid: boo
cn: Piccola Boo
objectclass: account
objectclass: posixAccount
objectclass: top
objectclass: shadowAccount
shadowMax: 99999
shadowWarning: 7
userPassword: {SSHA}VqFWUsG/S6BJMkAnXAISFHLOxjbcd9ic
loginShell: /bin/bash
uidNumber: 9001
gidNumber: 9001
homeDirectory: /home/boo
gecos: Boo



Then I set my client workstation up with auth
authconfig-tui --disablefingerprint
after the installation of some rpm packages needed ( nss_ldap ... openldap ... )
and I have added
Quote:
pam_password ssha
to nss_ldap configuration file.

I can getent passwd on the client, I can su - USERONLDAP, I can connect with ssh USERONLDAP@client
Then I tried to change the pass, I get a question about the current LDAP password, I fill in the password and then a new one.

Then I try again to connect locally doing su - USERONLDAP , ssh USERONLDAP@client and it brillianty works.

I can ldapsearch and I presume the below password is the new one I have just changed.

Quote:
# boo, People, linux.gettolandia.org
dn: uid=boo,ou=People,dc=linux,dc=gettolandia,dc=org
uid: boo
cn: Piccola Boo
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMax: 99999
shadowWarning: 7
userPassword:: e1NTSEF9VnFGV1VzRy9TNkJKTWtBblhBSVNGSExPeGpiY2Q5aWM=
loginShell: /bin/bash
uidNumber: 9001
gidNumber: 9001
homeDirectory: /home/boo
gecos: Boo

The problem is that if I try to run passwd again to change the password ( as USERONLDAP on the client machine ) once I fill in the current password, I get the following error:

Quote:
boo@clientmachine ~]$ passwd
Changing password for user boo.
Enter login(LDAP) password:
LDAP Password incorrect: try again
I tried with both of them, the old one and the new one.

The log says:
Quote:
Apr 12 16:18:50 clientmachine passwd: pam_ldap: error trying to bind as user "uid=boo,ou=People,dc=linux,dc=gettolandia,dc=org" (Invalid credentials)




TIA



Tommaso

Last edited by gettons1980; 04-12-2011 at 11:41 AM.
 
Old 04-13-2011, 10:10 PM   #2
quanta
Member
 
Registered: Aug 2007
Location: Vietnam
Distribution: RedHat based, Debian based, Slackware, Gentoo
Posts: 724

Rep: Reputation: 100Reputation: 100
Your password has not changed. The output from ldapsearch is base64 encoded of SHA password (from ldif file):
Code:
$ python -c "import base64; print base64.b64decode('e1NTSEF9VnFGV1VzRy9TNkJKTWtBblhBSVNGSExPeGpiY2Q5aWM=')"
{SSHA}VqFWUsG/S6BJMkAnXAISFHLOxjbcd9ic
Take a look at this: http://www.fusionnetwork.us/index.ph...asswd-command/
 
Old 04-14-2011, 05:01 AM   #3
gettons1980
LQ Newbie
 
Registered: Jun 2008
Posts: 21

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by quanta View Post
Your password has not changed. The output from ldapsearch is base64 encoded of SHA password (from ldif file):
Code:
$ python -c "import base64; print base64.b64decode('e1NTSEF9VnFGV1VzRy9TNkJKTWtBblhBSVNGSExPeGpiY2Q5aWM=')"
{SSHA}VqFWUsG/S6BJMkAnXAISFHLOxjbcd9ic
Take a look at this: http://www.fusionnetwork.us/index.ph...asswd-command/

Hi there,

thanks for your reply.
I think I got confused when I did copy and paste from the terminal. The password doesn't look like the same. I did another test, still not working.

Removed the ldif files, stopped the server, imported the ldiff files, and started from scratch.
First, I set the user up in the ldif file:


Code:
dn: uid=boo,ou=People,dc=linux,dc=gettolandia,dc=org
uid: boo
cn: boo
objectclass: posixAccount
objectclass: inetOrgPerson
objectclass: shadowAccount
shadowMax: 999999
shadowWarning: 7
shadowLastChange: 10877
userPassword: {MD5}IKrpa9u8/J9z3VryD0DzEQ==
loginShell: /bin/bash
uidNumber: 9001
gidNumber: 9001
homeDirectory: /home/boo
gecos: boo
displayName: boo
mail: boo@yahoo.it
givenName: boo
sn: boo
then I can login with the password chosen on the client machine. And do:

Code:
# boo, People, linux.gettolandia.org
dn: uid=boo,ou=People,dc=linux,dc=gettolandia,dc=org
uid: boo
cn: boo
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: shadowAccount
shadowMax: 999999
shadowWarning: 7
shadowLastChange: 10877
userPassword:: e01ENX1JS3JwYTl1OC9KOXozVnJ5RDBEekVRPT0=
loginShell: /bin/bash
uidNumber: 9001
gidNumber: 9001
homeDirectory: /home/boo
gecos: boo
displayName: boo
mail: boo@yahoo.it
givenName: boo
sn: boo
Also running the following commands I get:

Code:
getent passwd
boo:x:9001:9001:boo:/home/boo:/bin/bash

getent shadow
boo:*:10877::999999:7:::
Then I change the password from user boo using the passwd command and I logout and login again on the client:
Then I issue the command:

Code:
dn: uid=boo,ou=People,dc=linux,dc=gettolandia,dc=org
uid: boo
cn: boo
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: shadowAccount
shadowMax: 999999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 9001
gidNumber: 9001
homeDirectory: /home/boo
gecos: boo
displayName: boo
email: boo@yahoo.it
givenName: boo
sn: boo
userPassword:: e2NyeXB0fSQxJDJmU21EcVVsJFB1MHd5ZzRmNlIvbzdwcmtERnFNcy4=

By having a look at the password, I notice that it's different:
python -c "import base64; print base64.b64decode('e01ENX1JS3JwYTl1OC9KOXozVnJ5RDBEekVRPT0=')"
{MD5}IKrpa9u8/J9z3VryD0DzEQ==
python -c "import base64; print base64.b64decode('e2NyeXB0fSQxJDJmU21EcVVsJFB1MHd5ZzRmNlIvbzdwcmtERnFNcy4=')"
{crypt}$1$2fSmDqUl$Pu0wyg4f6R/o7prkDFqMs.

It looks like it's using different encryption isnt'?


It's now that if I run passwd again that I get an error:

Code:
[boo@nassettone ~]$ passwd
Changing password for user boo.
Enter login(LDAP) password:
LDAP Password incorrect: try again
Enter login(LDAP) password:
LDAP Password incorrect: try again
Enter login(LDAP) password:
[boo@nassettone ~]$
If I run:

Code:
getent shadow now:
boo:$1$2fSmDqUl$Pu0wyg4f6R/o7prkDFqMs.:15078::999999:7:::
 
Old 04-15-2011, 06:32 AM   #4
quanta
Member
 
Registered: Aug 2007
Location: Vietnam
Distribution: RedHat based, Debian based, Slackware, Gentoo
Posts: 724

Rep: Reputation: 100Reputation: 100
Hi gettons1980,

- Did you try the link in my previous post?
- I suggest you take a look at password-hash in slapd.conf and pam_password in ldap.conf.
 
Old 04-16-2011, 08:19 AM   #5
gettons1980
LQ Newbie
 
Registered: Jun 2008
Posts: 21

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by quanta View Post
Hi gettons1980,

- Did you try the link in my previous post?
- I suggest you take a look at password-hash in slapd.conf and pam_password in ldap.conf.



Hi again,

there must be a problem with the encryption method.
Basically, once I create the ldiff file with the "boo" user, when I do ldapsearch I get this password :

userPassword:: e01ENX1JS3JwYTl1OC9KOXozVnJ5RDBEekVRPT0=
which is md5
python -c "import base64; print base64.b64decode('e01ENX1JS3JwYTl1OC9KOXozVnJ5RDBEekVRPT0=')"
{MD5}IKrpa9u8/J9z3VryD0DzEQ==

When I do passwd ( the first time I do it's fine, it's the second time I run passwd to change the passwd again ,that passwd won't recognize the password I have just changed ) it works fine
Code:
boo@gettons-desktop:~$ passwd 
Enter login(LDAP) password: 
New password: 
Re-enter new password: 
LDAP password information changed for boo
passwd: password updated successfully
and I can test this by logging out / in on the tty/pts


Now, if I look at the password:

userPassword:: e2NyeXB0fSQxJDlQT2pTRmw0JENUTU1yR0g5UDBCa1ppSHQyLzVoUi4=
which has a different encryption now:
python -c "import base64; print base64.b64decode('e2NyeXB0fSQxJDlQT2pTRmw0JENUTU1yR0g5UDBCa1ppSHQyLzVoUi4=')"
{crypt}$1$9POjSFl4$CTMMrGH9P0BkZiHt2/5hR.


Then when I run passwd again and I get prompted for the *actual* password, it won't recognize it.

Code:
boo@gettons-desktop:~$ passwd 
Enter login(LDAP) password: 
LDAP Password incorrect: try again
Enter login(LDAP) password: 
LDAP Password incorrect: try again
Enter login(LDAP) password: 
LDAP Password incorrect: try again
passwd: User not known to the underlying authentication module
passwd: password unchanged



Also, I am using slapd on openwrt , which is a flavour of linux running on routers. I know it's not compiled like the others are on distro like redhat, centos, ubuntu ...
ie it does not have ssl, debugging or so, so it might be because it's missing something.

Last edited by gettons1980; 04-16-2011 at 08:21 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
PAM configuration for changing password on LDAP client machine sharjeel Linux - Server 3 05-13-2011 02:28 AM
how do a user can change its LDAP password on Linux client machine sharjeel Linux - Server 5 05-13-2011 02:25 AM
ldap client ubuntu 8.04 password unchanged problem. fahadaziz Linux - Server 9 04-20-2010 01:59 PM
changing root password for vio client manoj.linux AIX 1 12-07-2009 08:55 PM
how to setup open ldap server and solaris 10 as ldap client maheshlad Linux - Software 1 10-10-2009 01:55 AM


All times are GMT -5. The time now is 02:53 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration