Bug 54534 - passwd command fails with openldap 2.0.11 or later; login fails after changing userPassword via ldapmodify
passwd command fails with openldap 2.0.11 or later; login fails after changin...
Status: CLOSED CANTFIX
Product: Red Hat Linux
Classification: Retired
Component: openldap (Show other bugs)
7.1
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Jay Fenlason
Aaron Brown
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-10-11 11:26 EDT by Alex Vorobiev
Modified: 2014-08-31 19:24 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-10-18 10:46:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Alex Vorobiev 2001-10-11 11:26:36 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.4.3-12 i686)

Description of problem:
see below

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
 passwd
1. upgrade to openldap 2.0.11 or later
2 set authconfig to look up user info via ldap
3.  on the server running openldap, user finger, getent, or observe
sendmail failures	

ldapmodify
a MD5 password entry (created under 2.0.7-14) using "passwd" or slappasswd
-h {MD5}/ldapmodify looks like this:
# sasha, People, MathForum
dn: cn=sasha, ou=People, o=MathForum
userPassword:: e2NyeXB0fSQxJHk3SmZuR2M2JFZhR3jUNk9oNjdxLjdLWEdmMUN2LjA=

once upgraded to 2.0.11 or 2.0.15, the entry still works, until modified
using slappasswd -h {MD5} and ldapmodify:

# sasha, People, MathForum
dn: cn=sasha, ou=People, o=MathForum
userPassword:: e01ENX1aZlBQZnQyZlRnZUtselN4UEhjTHBRPT0=

this shorter password hash causes authentication to fail, whereas it worked
under 2.0.7


Actual Results:  passwd command fails:
passwd
[root@server /root]# passwd sasha
Changing password for user sasha
passwd: Authentication token manipulation error

login
[root@server /root]# ssh server -l sasha
sasha@server's password: 
Permission denied, please try again.
sasha@server's password: 
Permission denied, please try again.
sasha@server's password: 
Permission denied (publickey,password).


Expected Results:  with version 2.0.7-14 (under RH 7.0), the passwd command
would let user update current passwd:
passwd
[root@otherserver sasha]# passwd sasha
Changing password for user sasha
Enter login(LDAP) password: 
... and so on, completes successfully


login
successful login

Additional info:


/etc/ldap.conf contains:

pam_password md5

/etc/openldap/slapd.conf fails with or without the following:
password-hash   {MD5}

fails with nss_ldap 149-1 or 149-4
Comment 1 Bill Nottingham 2006-08-07 13:43:38 EDT
Red Hat Linux is no longer supported by Red Hat, Inc. If you are still
running Red Hat Linux, you are strongly advised to upgrade to a
current Fedora Core release or Red Hat Enterprise Linux or comparable.
Some information on which option may be right for you is available at
http://www.redhat.com/rhel/migrate/redhatlinux/.

Red Hat apologizes that these issues have not been resolved yet. We do
want to make sure that no important bugs slip through the cracks.
Please check if this issue is still present in a current Fedora Core
release. If so, please change the product and version to match, and
check the box indicating that the requested information has been
provided. Note that any bug still open against Red Hat Linux on will be
closed as 'CANTFIX' on September 30, 2006. Thanks again for your help.
Comment 2 Bill Nottingham 2006-10-18 10:46:44 EDT
Red Hat Linux is no longer supported by Red Hat, Inc. If you are still
running Red Hat Linux, you are strongly advised to upgrade to a
current Fedora Core release or Red Hat Enterprise Linux or comparable.
Some information on which option may be right for you is available at
http://www.redhat.com/rhel/migrate/redhatlinux/.

Closing as CANTFIX.

Note You need to log in before you can comment on or make changes to this bug.