Opened 12 years ago
Closed 12 years ago
#21 closed (fixed)
LDAP password change on racks doesn't work due to LDAP replication issues
Reported by: | chaos@bbn.com | Owned by: | jonmills@renci.org |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Administration | Version: | SPIRAL4 |
Keywords: | Cc: | ||
Dependencies: |
Description
When i try to change the password for my new cgolubit (BBN site admin) account, i get:
(cgolubit) bbn-hn,[~],17:37(0)$ passwd Changing password for user cgolubit. Enter login(LDAP) password: New password: Re-enter new password: LDAP password information update failed: Server is unwilling to perform shadow context; no update referral passwd: Authentication token manipulation error
Fix LDAP replication config so that non-RENCI users can change their LDAP passwords.
Change History (7)
comment:1 Changed 12 years ago by
comment:2 Changed 12 years ago by
I have implemented the full slapo-chain overlay using a new cn=proxyuser,dc=exogeni,dc=net user and authzTo proxied binds. I can now change my password against rci-hn.exogeni.net, with the following debug output:
conn=1001 fd=19 ACCEPT from IP=152.54.14.3:54181 (IP=152.54.1.67:389) conn=1001 op=0 EXT oid=1.3.6.1.4.1.1466.20037 conn=1001 op=0 STARTTLS conn=1001 op=0 RESULT oid= err=0 text= conn=1001 fd=19 TLS established tls_ssf=256 ssf=256 conn=1001 op=1 BIND dn="cn=proxyuser,dc=exogeni,dc=net" method=128 conn=1001 op=1 BIND dn="cn=proxyuser,dc=exogeni,dc=net" mech=SIMPLE ssf=0 conn=1001 op=1 RESULT tag=97 err=0 text= conn=1001 op=2 PROXYAUTHZ dn="uid=jonmills,ou=people,dc=exogeni,dc=net" conn=1001 op=2 EXT oid=1.3.6.1.4.1.4203.1.11.1 conn=1001 op=2 PASSMOD new slap_queue_csn: queing 0x7fb336c8b1d0 20120525190146.807111Z#000000#000#000000 slap_graduate_commit_csn: removing 0x7fb3281b8cf0 20120525190146.807111Z#000000#000#000000 conn=1001 op=2 RESULT oid= err=0 text= conn=1001 op=3 UNBIND conn=1001 fd=19 closed
Additionally, I have added all slapd configuration into Puppet -- which is really quite convenient now.
comment:3 Changed 12 years ago by
Owner: | changed from somebody to jonmills@renci.org |
---|---|
Status: | new → assigned |
comment:4 Changed 12 years ago by
Resolution: | → worksforme |
---|---|
Status: | assigned → closed |
comment:5 Changed 12 years ago by
Resolution: | worksforme |
---|---|
Status: | closed → reopened |
Jon: we prefer that GPO verify fixes and close tickets. We'll check this out right now.
comment:7 Changed 12 years ago by
Resolution: | → fixed |
---|---|
Status: | reopened → closed |
Indeed, first i got:
(cgolubit) bbn-hn,[~],19:26(0)$ passwd Changing password for user cgolubit. Enter login(LDAP) password: New password: Re-enter new password: LDAP password information update failed: Constraint violation passwd: Authentication token manipulation error
because my shiny new pseudorandom password happened not to contain any digits. :>P
On the second try, this worked:
(cgolubit) bbn-hn,[~],19:26(1)$ passwd Changing password for user cgolubit. Enter login(LDAP) password: New password: Re-enter new password: LDAP password information changed for cgolubit passwd: all authentication tokens updated successfully.
- I can login to bbn-hn as cgolubit with the new password.
- I can login to https://bbn-hn.exogeni.net/rack_bbn/ as cgolubit with the new password.
Thanks!
I reported this to Jonathan via e-mail, and he said:
So i think he is working on this.