passwd command with ldap account
Téssio Fechine
tessiof at gmail.com
Thu Mar 17 21:38:13 UTC 2016
Hi,
I followed these instruction on Ubuntu community help for setting up
ldap authentication:
https://help.ubuntu.com/lts/serverguide/openldap-server.html
https://help.ubuntu.com/community/LDAPClientAuthentication
I can log in correctly. But me problem is that when I try to change a
ldap account password
with the passwd command, it fails.
~~~~
$ passwd
Enter login(LDAP) password:
passwd: Authentication information cannot be recovered
passwd: password unchanged
# cat /var/log/auth.log
passwd[1131]: pam_unix(passwd:chauthtok): user "john" does not exist
in /etc/passwd
~~~~
The configuration seems correct:
~~~~
# pw=$(cat /etc/ldap.secret)
# dn=$(grep ^rootbinddn /etc/ldap.conf | awk '{ print $2; }')
# uri=$(grep ^uri /etc/ldap.conf | awk '{ print $2; }')
# base=$(grep ^base /etc/ldap.conf | awk '{ print $2; }')
# ldapsearch -x -H $uri -D $dn -w $pw -b $base
'(&(objectClass=shadowAccount)(uid=john))'
# extended LDIF
#
# LDAPv3
# base <dc=ufpb,dc=br> with scope subtree
# filter: (&(objectClass=shadowAccount)(uid=john))
# requesting: ALL
#
# john, People, ufpb.br
dn: uid=john,ou=People,dc=ufpb,dc=br
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
cn: John Doe
givenName: John
displayName: John Doe
uidNumber: 2000
gidNumber: 4000
userPassword:: e1NTSEF9R2laOGhwY2JMQTQvYXp4TUZIRG1wUzNGMXQzSDJLZlo=
gecos: John Doe
homeDirectory: /home/john
loginShell: /bin/bash
~~~~
The permission seems correct:
# {1}hdb, config
dn: olcDatabase={1}hdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
s auth by dn="cn=admin,dc=ufpb,dc=br" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=ufpb,dc=br" write by * read
Confirming that permission is correct:
~~~~
# cat passwd.ldif
dn: uid=john,ou=People,dc=ufpb,dc=br
changetype: modify
replace: userPassword
userPassword: {SSHA}AW7jpSYapmtwJiGMB+ePD1Sf/hWm/HDy
# ldapmodify -x -H $uri -D $dn -w $pw -f passwd.ldif
modifying entry "uid=john,ou=People,dc=ufpb,dc=br"
~~~~
** open terminal **
** john can now log in with new password **
I think it's a bug in Ubuntu's auth mechanism or Ubuntu's documentation.
More information about the ubuntu-users
mailing list