Score:1

Let openldap users change password with passwd in centos, i broke it

in flag

Tried to do the above with this tutorial:

https://www.unixguide.net/content/openldap-allow-users-change-their-password-unix-passwd-command

So I created this ldif:

dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to attrs=userPassword by self write by anonymous auth by dn.base="cn=ldapadm,dc=bbb,dc=local" write by * none

add: olcAccess
olcAccess: to * by self write by dn.base="cn=ldapadm,dc=bbb,dc=local" write by * read

Ran the ldapmodify, now no user can log into any client with their password when they could before I ran the above modify.

now attempting to login says permission denied after correct password is entered....what did I break ?? (totally new to openldap)

And as it might be relevant this is how I got my clients connected to my openldap server:

yum install -y openldap-clients nss-pam-ldapd
authconfig --enableldap --enableldapauth --ldapserver=192.168.1.10 --ldapbasedn="dc=bbb,dc=local" --enablemkhomedir --update

Out of the box, if I type passwd on an ldap user...the resulting happens:

[ldapuser@sdss5-db ~]$ passwd
Changing password for user ldapuser.
(current) LDAP Password: 
New password: 
Retype new password: 
password change failed: Insufficient access
passwd: Authentication token manipulation error

Though again that ldif file above with the olcAccess broke my ldap didn't make anything work (had to revert the VM back to before I ran that command..mostly because I am new to ldap and don't know how to remove items etc)

Here are all my cn=config files:

olcDatabase={-1}frontend.ldif


# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 daf543d1
dn: olcDatabase={-1}frontend
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
structuralObjectClass: olcDatabaseConfig
entryUUID: 1244881e-5cf7-103b-94a5-5f5943b4315f
creatorsName: cn=config
createTimestamp: 20210608224613Z
entryCSN: 20210608224613.408737Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20210608224613Z


olcDatabase={0}config.ldif

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 54d58ed2
dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al,cn=auth" manage by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: 12448a9e-5cf7-103b-94a6-5f5943b4315f
creatorsName: cn=config
createTimestamp: 20210608224613Z
entryCSN: 20210608224613.408801Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20210608224613Z



olcDatabase={1}monitor.ldif

# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 3165478b
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
structuralObjectClass: olcDatabaseConfig
entryUUID: 12448d32-5cf7-103b-94a7-5f5943b4315f
creatorsName: cn=config
createTimestamp: 20210608224613Z
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
 al, cn=auth" read by dn.base="cn=ldapadm,dc=bbb,dc=local" read by * none
entryCSN: 20210608225001.645649Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20210608225001Z




olcDatabase={2}hdb.ldif


# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 89413e34
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 1244907a-5cf7-103b-94a8-5f5943b4315f
creatorsName: cn=config
createTimestamp: 20210608224613Z
olcSuffix: dc=bbb,dc=local
olcRootDN: cn=ldapadm,dc=bbb,dc=local
olcRootPW:: e1NTSEF9QTB0dS94UjR6cy83ZEMvQUxPL21uS2RLaXZUeFNXVEg=
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by dn.ba
 se="cn=ldapadm,dc=bbb,dc=local" write by * none
entryCSN: 20210702202550.687485Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20210702202550Z

It seems it is not writing the second portion of:

add: olcAccess
olcAccess: to * by self write by dn.base="cn=ldapadm,dc=unixguide,dc=net" write by * read

To the olcDatabase={2}hdb.ldif , as going by the example it has olcAccess: {1}to * by self write by dn.base="cn=ldapadm,dc=unixguide,dc=net" write by * read

I am guessing this is what is not working and nuking the ability to login after I run the command. I am not sure why it is not showing up though as I get no errors when I run the modify command with my ldif posted above...

The result from the ldap modify is this:

[root@openldapserver ~]# ldapmodify -Y EXTERNAL  -H ldapi:/// -f passwordaccess.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
Score:1
dk flag

In dn: olcDatabase={2}hdb,cn=config you specify which rule to replace/add. My system has password access rules in dn: olcDatabase={-1}frontend.

Make sure to target the correct rule.

in flag
So does this mean I replace the dn: line in that ldiff with : `dn: olcDatabase={-1}frontend` ?
Jari Turkia avatar
dk flag
If you're ready to restore your LDAP again, that's what I'm suggesting. Smart move would be to peek into `/etc/openldap/slapd.d/cn=config` and see where your rules are currently, then make the choice to alter that file.
in flag
Oh I am confused, I had broken the ldap with my above command but to restore I just went to a VM Snap shot of it from before I made the command so ldap works, I just cannot use the passwd functionality still...it gives the above errors. So that line I tried that I thought would make it work..did not. I will hunt in the cn=config file I haven't touched it much at all.
Jari Turkia avatar
dk flag
Ok. Systems are different, so the critical part would be to see which parts of configuration you do have in `/etc/openldap/slapd.d/cn=config` and which of them have settings for permissions and/or passwords.
in flag
Okay I am in that folder of slapd.d/cn=config, I see ldif files. One is olcDatabase={-1}frontend.ldif, but if I view that file there isn't anything about passwords. There is also a folder of cn=schema with more ldif files in it one level lower. This is for a centos7 machines
Jari Turkia avatar
dk flag
File `cn=schema` will contain definitions for the data stored in your LDAP and in this case is not relevant. Now you need to determine which of the files contains access rules and target your changes towards that.
in flag
Updated the entry, I can get it to add one rule from the ldif but not the other rule with no errors.
Jari Turkia avatar
dk flag
You can edit the found configuration file with a text-editor. Restart slapd to make changes effective.
in flag
Oh wow I didn't know I could edit it directly (Said not to) but sure enough adding this: olcAccess: {1}to * by self write by dn.base="cn=ldapadm,dc=unixguide,dc=net" write by * read made everything work! Thank you!
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.