2012. május 22., kedd

"password aged" When Authenticating Against OpenLDAP

What to do, when you see the following message upon logging on to a client authenticating against OpenLDAP?
You are required to change your password immediately (password aged)
Enter login(LDAP) password:
(Ez a cikk magyarul is olvasható)Piece of cake! Let's change the password. It can be done - we've dealt with that last time. But when loggong on next time, the same message appears. Lovely.
Fisrt we reproduce the error. As you might remember, some time ago we created the user called jdoe. So we have John Doe, but he has no shadow account. On second thought he has one, as the followng command will clearly show the shadowAccount object class on jdoe:
ldapsearch -D cn=admin,dc=itthon,dc=cucc -b dc=itthon,dc=cucc -w secret -LLL 'uid=jdoe'
We did not set up any sahdow-attribute yet, though. (By the way de do not use the -H ldapi:/// switch because we put the URI in the file /etc/ldap/ldap.conf)
Let's create a file called jdoe_shadow_on.ldif:
dn: uid=jdoe,ou=People,dc=itthon,dc=cucc
changetype: modify
add: shadowLastChange
shadowLastChange: 15461
add: shadowMax
shadowMax: 45
If the attribute shadowLastChange has already existed (because John already changed his password) modify the file accordingly. When ready, issue the comand:
ldapmodify -D cn=admin,dc=itthon,dc=cucc -w secret -f jdoe_shadow_on.ldif
If you did not get the error message before, from now on you will. The reason is that the value of the  shadowMax cannot be read by the client.
Want to be absolutely sure? Create the file jdoe_shadow_off.ldif fájlt:
dn: uid=jdoe,ou=People,dc=itthon,dc=cucc
changetype: modify
delete: shadowLastChange
delete: shadowMax
Make it happen:
ldapmodify -D cn=admin,dc=itthon,dc=cucc -w secret -f jdoe_shadow_off.ldif
And there you got it: John is able to log on again withot the error message.
Lets get back to the state where the error message comes and prepare our newest ACL file (let us call it acl.ldif):
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by dn="cn=admin,dc=itthon,dc=cucc" write by * none
olcAccess: {1}to attrs=shadowLastChange,shadowMax by self write by dn="cn=admin,dc=itthon,dc=cucc" write by * read
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by self write by dn="cn=admin,dc=itthon,dc=cucc" write by * read
When ready, issue the command:
sudo ldapmodify -Y EXTERNAL -f acl.ldif
And John can log on smoothly, no "password aged".
For investigating the problem the command getent shadow might come handy. Try it when changing ACLs. The actual ACL in effect can be observed by using the command:
sudo ldapsearch -Y EXTERNAL -b olcDatabase={1}hdb,cn=config

Nincsenek megjegyzések: