| Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
04-12-2011, 10:20 AM
|
#1
|
|
LQ Newbie
Registered: Jun 2008
Posts: 21
Rep: 
|
changing ldap password from client machine
Hi all,
I have been playing a bit with openldap on my router with openwrt Backfire 10.03.1-rc4 on it.
It has a package already compiled, the drawback is that the database is ldif type only ( because of the hardware, being just a broadband router ).
Firstly on my server I configured slapd.conf
Quote:
access to *
by self write
by anonymous read
by dn="cn=Manager,dc=linux,dc=gettolandia,dc=org" write
by * read
|
and then I started building the 3 ldif files against which, in turn, I run
ldapadd -x -D "cn=Manager,dc=linux,dc=gettolandia,dc=org" -W -f base.ldif
ldapadd -x -D "cn=Manager,dc=linux,dc=example,dc=org" -W -f users.ldif
ldapadd -x -D "cn=Manager,dc=linux,dc=example,dc=org" -W -f groups.ldif
An example from users.ldif is the following one:
Quote:
dn: uid=boo,ou=People,dc=linux,dc=gettolandia,dc=org
uid: boo
cn: Piccola Boo
objectclass: account
objectclass: posixAccount
objectclass: top
objectclass: shadowAccount
shadowMax: 99999
shadowWarning: 7
userPassword: {SSHA}VqFWUsG/S6BJMkAnXAISFHLOxjbcd9ic
loginShell: /bin/bash
uidNumber: 9001
gidNumber: 9001
homeDirectory: /home/boo
gecos: Boo
|
Then I set my client workstation up with auth
authconfig-tui --disablefingerprint
after the installation of some rpm packages needed ( nss_ldap ... openldap ... )
and I have added
to nss_ldap configuration file.
I can getent passwd on the client, I can su - USERONLDAP, I can connect with ssh USERONLDAP@client
Then I tried to change the pass, I get a question about the current LDAP password, I fill in the password and then a new one.
Then I try again to connect locally doing su - USERONLDAP , ssh USERONLDAP@client and it brillianty works.
I can ldapsearch and I presume the below password is the new one I have just changed.
Quote:
# boo, People, linux.gettolandia.org
dn: uid=boo,ou=People,dc=linux,dc=gettolandia,dc=org
uid: boo
cn: Piccola Boo
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMax: 99999
shadowWarning: 7
userPassword:: e1NTSEF9VnFGV1VzRy9TNkJKTWtBblhBSVNGSExPeGpiY2Q5aWM=
loginShell: /bin/bash
uidNumber: 9001
gidNumber: 9001
homeDirectory: /home/boo
gecos: Boo
|
The problem is that if I try to run passwd again to change the password ( as USERONLDAP on the client machine ) once I fill in the current password, I get the following error:
Quote:
boo@clientmachine ~]$ passwd
Changing password for user boo.
Enter login(LDAP) password:
LDAP Password incorrect: try again
|
I tried with both of them, the old one and the new one.
The log says:
Quote:
|
Apr 12 16:18:50 clientmachine passwd: pam_ldap: error trying to bind as user "uid=boo,ou=People,dc=linux,dc=gettolandia,dc=org" (Invalid credentials)
|
TIA
Tommaso
Last edited by gettons1980; 04-12-2011 at 10:41 AM.
|
|
|
|
|
04-13-2011, 09:10 PM
|
#2
|
|
Member
Registered: Aug 2007
Location: Vietnam
Distribution: RedHat based, Debian based, Slackware, Gentoo
Posts: 724
Rep: 
|
Your password has not changed. The output from ldapsearch is base64 encoded of SHA password (from ldif file):
Code:
$ python -c "import base64; print base64.b64decode('e1NTSEF9VnFGV1VzRy9TNkJKTWtBblhBSVNGSExPeGpiY2Q5aWM=')"
{SSHA}VqFWUsG/S6BJMkAnXAISFHLOxjbcd9ic
Take a look at this: http://www.fusionnetwork.us/index.ph...asswd-command/ |
|
|
|
|
04-14-2011, 04:01 AM
|
#3
|
|
LQ Newbie
Registered: Jun 2008
Posts: 21
Original Poster
Rep:
|
Quote:
Originally Posted by quanta
Your password has not changed. The output from ldapsearch is base64 encoded of SHA password (from ldif file):
Code:
$ python -c "import base64; print base64.b64decode('e1NTSEF9VnFGV1VzRy9TNkJKTWtBblhBSVNGSExPeGpiY2Q5aWM=')"
{SSHA}VqFWUsG/S6BJMkAnXAISFHLOxjbcd9ic
Take a look at this: http://www.fusionnetwork.us/index.ph...asswd-command/ |
Hi there,
thanks for your reply.
I think I got confused when I did copy and paste from the terminal. The password doesn't look like the same. I did another test, still not working.
Removed the ldif files, stopped the server, imported the ldiff files, and started from scratch.
First, I set the user up in the ldif file:
Code:
dn: uid=boo,ou=People,dc=linux,dc=gettolandia,dc=org
uid: boo
cn: boo
objectclass: posixAccount
objectclass: inetOrgPerson
objectclass: shadowAccount
shadowMax: 999999
shadowWarning: 7
shadowLastChange: 10877
userPassword: {MD5}IKrpa9u8/J9z3VryD0DzEQ==
loginShell: /bin/bash
uidNumber: 9001
gidNumber: 9001
homeDirectory: /home/boo
gecos: boo
displayName: boo
mail: boo@yahoo.it
givenName: boo
sn: boo
then I can login with the password chosen on the client machine. And do:
Code:
# boo, People, linux.gettolandia.org
dn: uid=boo,ou=People,dc=linux,dc=gettolandia,dc=org
uid: boo
cn: boo
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: shadowAccount
shadowMax: 999999
shadowWarning: 7
shadowLastChange: 10877
userPassword:: e01ENX1JS3JwYTl1OC9KOXozVnJ5RDBEekVRPT0=
loginShell: /bin/bash
uidNumber: 9001
gidNumber: 9001
homeDirectory: /home/boo
gecos: boo
displayName: boo
mail: boo@yahoo.it
givenName: boo
sn: boo
Also running the following commands I get:
Code:
getent passwd
boo:x:9001:9001:boo:/home/boo:/bin/bash
getent shadow
boo:*:10877::999999:7:::
Then I change the password from user boo using the passwd command and I logout and login again on the client:
Then I issue the command:
Code:
dn: uid=boo,ou=People,dc=linux,dc=gettolandia,dc=org
uid: boo
cn: boo
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: shadowAccount
shadowMax: 999999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 9001
gidNumber: 9001
homeDirectory: /home/boo
gecos: boo
displayName: boo
email: boo@yahoo.it
givenName: boo
sn: boo
userPassword:: e2NyeXB0fSQxJDJmU21EcVVsJFB1MHd5ZzRmNlIvbzdwcmtERnFNcy4=
By having a look at the password, I notice that it's different:
python -c "import base64; print base64.b64decode('e01ENX1JS3JwYTl1OC9KOXozVnJ5RDBEekVRPT0=')"
{MD5}IKrpa9u8/J9z3VryD0DzEQ==
python -c "import base64; print base64.b64decode('e2NyeXB0fSQxJDJmU21EcVVsJFB1MHd5ZzRmNlIvbzdwcmtERnFNcy4=')"
{crypt}$1$2fSmDqUl$Pu0wyg4f6R/o7prkDFqMs.
It looks like it's using different encryption isnt'?
It's now that if I run passwd again that I get an error:
Code:
[boo@nassettone ~]$ passwd
Changing password for user boo.
Enter login(LDAP) password:
LDAP Password incorrect: try again
Enter login(LDAP) password:
LDAP Password incorrect: try again
Enter login(LDAP) password:
[boo@nassettone ~]$
If I run:
Code:
getent shadow now:
boo:$1$2fSmDqUl$Pu0wyg4f6R/o7prkDFqMs.:15078::999999:7:::
|
|
|
|
|
04-15-2011, 05:32 AM
|
#4
|
|
Member
Registered: Aug 2007
Location: Vietnam
Distribution: RedHat based, Debian based, Slackware, Gentoo
Posts: 724
Rep:
|
Hi gettons1980,
- Did you try the link in my previous post?
- I suggest you take a look at password-hash in slapd.conf and pam_password in ldap.conf.
|
|
|
|
|
04-16-2011, 07:19 AM
|
#5
|
|
LQ Newbie
Registered: Jun 2008
Posts: 21
Original Poster
Rep:
|
Quote:
Originally Posted by quanta
Hi gettons1980,
- Did you try the link in my previous post?
- I suggest you take a look at password-hash in slapd.conf and pam_password in ldap.conf.
|
Hi again,
there must be a problem with the encryption method.
Basically, once I create the ldiff file with the "boo" user, when I do ldapsearch I get this password :
userPassword:: e01ENX1JS3JwYTl1OC9KOXozVnJ5RDBEekVRPT0=
which is md5
python -c "import base64; print base64.b64decode('e01ENX1JS3JwYTl1OC9KOXozVnJ5RDBEekVRPT0=')"
{MD5}IKrpa9u8/J9z3VryD0DzEQ==
When I do passwd ( the first time I do it's fine, it's the second time I run passwd to change the passwd again ,that passwd won't recognize the password I have just changed ) it works fine
Code:
boo@gettons-desktop:~$ passwd
Enter login(LDAP) password:
New password:
Re-enter new password:
LDAP password information changed for boo
passwd: password updated successfully
and I can test this by logging out / in on the tty/pts
Now, if I look at the password:
userPassword:: e2NyeXB0fSQxJDlQT2pTRmw0JENUTU1yR0g5UDBCa1ppSHQyLzVoUi4=
which has a different encryption now:
python -c "import base64; print base64.b64decode('e2NyeXB0fSQxJDlQT2pTRmw0JENUTU1yR0g5UDBCa1ppSHQyLzVoUi4=')"
{crypt}$1$9POjSFl4$CTMMrGH9P0BkZiHt2/5hR.
Then when I run passwd again and I get prompted for the *actual* password, it won't recognize it.
Code:
boo@gettons-desktop:~$ passwd
Enter login(LDAP) password:
LDAP Password incorrect: try again
Enter login(LDAP) password:
LDAP Password incorrect: try again
Enter login(LDAP) password:
LDAP Password incorrect: try again
passwd: User not known to the underlying authentication module
passwd: password unchanged
Also, I am using slapd on openwrt , which is a flavour of linux running on routers. I know it's not compiled like the others are on distro like redhat, centos, ubuntu ...
ie it does not have ssl, debugging or so, so it might be because it's missing something.
Last edited by gettons1980; 04-16-2011 at 07:21 AM.
|
|
|
|
All times are GMT -5. The time now is 03:22 AM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
 Latest Threads
LQ News
|
|
