Re: "Directory Manager" can't change user's password; result is an inaccessible account.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 09/23/2016 03:16 PM, Janet Houser wrote:

Hi Noriko,

thanks for the quick response.

On 9/23/16 3:37 PM, Noriko Hosoi wrote:

On 09/23/2016 02:24 PM, Janet Houser wrote:

Hi folks,
I'm fairly new to 389-ds and I ran into an issue when trying to update a user's password via the command line.
I was able to change a password "as" the user via the command line using the following syntax without issue:
ldappasswd -h my389dsserver.domain.edu -p 389 -ZZ -D "uid=jdoe,ou=People,dc=domain,dc=edu" -w current_user_passwd -s new_user_passwd "uid=jdoe,ou=People,dc=domain,dc=edu"
However, when I tried doing the same thing as the Directory Manager, it changes the password hash, but it doesn't update the password. In fact, after issuing the following command (see below), both the old and new passwords don't work:
ldappasswd -h my389dsserver.domain.edu -p 389 -ZZ -D "cn=Directory Manager" -w directorymanager_passwd -s new_user_passwd "uid=jdoe,ou=People,dc=domain,dc=edu" 
Do you see any error messages in /var/log/dirsrv/slapd-INSTANCE/errors?
No errors reported in /var/log/dirsrv/slapd-INSTANCE/errors when I run the ldappasswd command with "cn=Directory Manager". 

What does this access log file log for the operation?
/var/log/dirsrv/slapd-INSTANCE/access
[23/Sep/2016:15:54:44 -0600] conn=27891 fd=125 slot=125 connection from XXX.X.XX.10 to XXX.XX.XXX.4 [23/Sep/2016:15:54:44 -0600] conn=27891 op=0 EXT oid="1.3.6.1.4.1.1466.20037" name="startTLS" [23/Sep/2016:15:54:44 -0600] conn=27891 op=0 RESULT err=0 tag=120 nentries=0 etime=0 
[23/Sep/2016:15:54:44 -0600] conn=27891 TLS1.2 256-bit AES
[23/Sep/2016:15:54:44 -0600] conn=27891 op=1 BIND dn="cn=Directory Manager" method=128 version=3 [23/Sep/2016:15:54:44 -0600] conn=27891 op=1 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager" [23/Sep/2016:15:54:44 -0600] conn=27891 op=2 EXT oid="1.3.6.1.4.1.4203.1.11.1" name="passwd_modify_extop" [23/Sep/2016:15:54:44 -0600] conn=27891 op=2 RESULT err=0 tag=120 nentries=0 etime=0 
[23/Sep/2016:15:54:44 -0600] conn=27891 op=3 UNBIND
[23/Sep/2016:15:54:44 -0600] conn=27891 op=3 fd=125 closed - U1





What happens if you run this command line?
$ ldapmodify -h my389dsserver.domain.edu -p 389 -ZZ -D "cn=Directory Manager" -w directorymanager_passwd << EOF 
dn: uid=jdoe,ou=People,dc=domain,dc=edu
changetype: modify
replace: userPassword
userPassword: new_user_passwd
EOF

Is the user's password is set to new_user_passwd?
No, the password fails to be set, and both passwords, old and new, are now invalid. The output is: 

----- keystrokes of issued command ----
# ldapmodify -h my389dsserver.domain.edu -p 389 -ZZ -D "cn=Directory Manager" -w directorymanager_passwd << EOF 
> dn: uid=jdoe,ou=People,dc=domain,dc=edu
> changetype: modify
> replace: userPassword
> userPassword: 123abc!@garbage
> EOF
modifying entry "uid=jdoe,ou=People,dc=domain,dc=edu"
--- end of output ---
I'm puzzled. So, it "acts" like it changes the password by telling me it is "modifying the entry", but it inserts something into the password 
because the old password and the new password don't work.

Hi Janet,
Could you tell us how you are testing the new password?


Thanks for your help on this....
I found the following page, http://directory.fedoraproject.org/docs/389ds/design/password-administrator.html, but being fairly new to 389-ds I wasn't sure how to create/define/add the ability to be a password administrator to an account. 

Any suggestions would be appreciated.

Thanks,

/jh
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx


_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx

_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx


_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux