[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Change user Password from an AIX on openLDAP server
On Tuesday, 6 October 2009 14:44:32 CASEIRO Philippe wrote:
> Hello
>
> I'm running openldap-2.3.43 on an RHEL 5.3 All works fine (like usual)
> with the linux clients but I have some troubles with AIX
>
> I have done this tests with An AIX 5.3 TL9 host.
>
> When I change my password with AIX it runs like that
>
> [user@host] $ passwd
> Changing password for "user"
> user's Old password:
> user's New password:
> Enter the new password again:
>
> And it's done, over.
>
> When I check the modification on openLDAP server the password is in clear
> in the field < userPassword >.
>
> On my linux clients it ask the new password 2 times (normal ?)
Use "use_authtok" option when calling pam_ldap in password lines, if preceded
by e.g. pam_unix in password lines ...
> and is not
> in clear in userPassword filed.
>
> [user@host] $ passwd
> Changing password for user user.
> Enter login(LDAP) password:
> New UNIX password:
> Retype new UNIX password:
> New password:
> Re-enter new password:
> LDAP password information changed for user
> passwd: all authentication tokens updated successfully.
>
> An extract of logs :
> >From an Aix :
>
> Sep 17 14:51:19 srvldap slapd[8270]: conn=9 op=0 BIND
> dn="uid=user,ou=users,dc=xxx,dc=xx" method=128
> Sep 17 14:51:19 srvldap
> slapd[8270]: slap_global_control: unrecognized control:
> 1.3.6.1.4.1.42.2.27.8.5.1
> Sep 17 14:51:19 srvldap slapd[8270]: conn=9 op=0
> BIND dn="uid=user,ou=users,dc= xxx,dc=xx" mech=SIMPLE ssf=0
> Sep 17 14:51:19
> srvldap slapd[8270]: conn=9 op=0 RESULT tag=97 err=0 text=
> Sep 17 14:51:19
> srvldap slapd[8270]: conn=9 op=1 MOD dn="uid=user,ou=users,dc= xxx,dc=xx"
> Sep 17 14:51:19 srvldap slapd[8270]: conn=9 op=1 MOD attr=userpassword
userpassword
AIX has just sent a normal modify of the userPassword attribute. If the client
did not hash it, the server will not.
> Sep 17 14:51:19 srvldap slapd[8270]: slap_global_control:
> unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1
The AIX box seems to support the password policy control, but it seems your
LDAP server doesn't, so you are not using the ppolicy overlay.
> ... some troubles ....
>
> >From Linux :
>
> Oct 6 15:37:40
> srvldap slapd[2420]: conn=5765 op=1 SRCH base="ou=users,dc=xxx,dc=xx"
> scope=2 deref=0
> filter="(&(|(&(accessTo=host22)(trustModel=byhost))(trustModel=fullaccess))
>(uid=user))"
>Oct 6 15:37:40 srvldap slapd[2420]: <=> bdb_equality_candidates: (accessTo)
not indexed
> Oct 6 15:37:40 srvldap slapd[2420]: <= bdb_equality_candidates:
(trustModel) not indexed
> Oct 6
> 15:37:40 srvldap slapd[2420]: <= bdb_equality_candidates: (trustModel) not
> indexed
You should probably index accessTo and trustModel attributes ...
> Oct 6 15:37:52 srvldap slapd[2420]: conn=5765 op=4 BIND
> dn="uid=user,ou=users,dc=xxx,dc=xx" method=128
> Oct 6 15:37:52 srvldap
> slapd[2420]: conn=5765 op=4 BIND dn="uid=user,ou=users,dc=xxx,dc=xx"
> mech=SIMPLE ssf=0
> Oct 6 15:37:52 srvldap slapd[2420]: conn=5765 op=4
> RESULT tag=97 err=0 text=
> Oct 6 15:37:52 srvldap slapd[2420]: conn=5765
> op=5 PASSMOD id="uid=user,ou=users,dc=xxx,dc=xx" new
> Oct 6 15:37:52
> srvldap slapd[2420]: conn=5765 op=5 RESULT oid= err=0 text=
The Linux box send a password modify extended operation, in which case the
server will always hash the password.
You may want to consider enabling the password policy overlay (this should
give you password expiry notifications etc.), and to solve your cleartext
password problem, use the "ppolicy_hash_cleartext" option, so that slapd will
hash cleartext passwords sent in modify operations.
Regards,
Buchan