[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Issue with Referral+pwdReset



Has anyone seen this before? Any tips for troubleshooting are greatly appreciated. I am very stuck at this point.

  --AP

On Jun 20, 2008, at 11:51 AM, Anthony Porcano wrote:

I am having a problem that I am hoping the list can help with. When using the pwdReset attribute to force a password change the user receives the following error when trying to reset the password on SSH login:

LDAP password information update failed: Can't contact LDAP server
passwd: Permission denied

This only occurs for clients using a slave to authenticate, and only when changing the password on login in combination with the pwdReset attribute. A non-forced password change works fine when a user runs the passwd command manually on one of the slave clients. So it seems referrals by themselves work OK. Forced password changes using the pwdReset attr also work for clients that use the master directly, so the issue is specific to slave-authentication+pwdReset+referral.

The debug log on the master shows that it is being reached by the client, but slapd refused to perform the action:
slapd[1079]: conn=1 op=1 BIND dn="uid=jschmo,ou=users,dc=example,dc=com" method=128
slapd[1079]: conn=1 op=1 RESULT tag=97 err=53 text=unauthenticated bind (DN with no password) disallowed


The debug log on the slave shows the following error:
slapd[11339]: conn=5 op=10 MOD dn="uid=jschmo,ou=users,dc=example,dc=com"
slapd[11339]: conn=5 op=10 MOD attr=userPassword
slapd[11339]: conn=5 op=10 RESULT tag=103 err=10 text=


I've tried searching for information on this, but to date nothing I have found resolved the issue. One attempt involved setting an allow statement in the master slapd.conf for "bind_anon_dn". This did prevent the err=53, but produced another error:
Jun 19 12:21:12 admin5-ash slapd[30555]: conn=4 op=2 RESULT tag=103 err=8 text=modifications require authentication


The following applies to both master and slave servers:

OpenLDAP: openldap-2.3.39-3.rhel5 (Buchan's Packages)
OS: Centos 5.1

For the client I have tried the following configurations:

OpenLDAP: openldap-2.2.13-8 (RH Stock)
PAM_LDAP: nss_ldap-226-20 (RH Stock)
OS: RHEL4.6

OpenLDAP version: openldap-2.3.39-3.rhel5 (Buchan's Packages)
PAM_LDAP: nss_ldap-253-5.el5 (Centos Stock)
OS: Centos 5.1

If any other information is needed let me know. Thanks to all.

--AP