Bug#850665: nslcd uses add instead of modify for passwords on modern OpenLDAP

Sun, 08 Jan 2017 18:51:57 -0800 

Package: nslcd
Version: 0.9.7
Severity: important

nslcd appears to attempt to add rather than modify user passwords (as
was required on older OpenLDAP, but modern OpenLDAP cannot be changed
this way).

I was noticing before I installed ppolicy extra password hashes being
added to the userPassword attribute when people used the passwd utility
to change their passwords, but now I'm noticing this error after using
ppolicy on the server: "Password policy only allows one password value".

If it is indeed attempting to add rather than modify passwords, the
right thing to do on modern OpenLDAP is to use a modification of the
attribute.

Only log entry on the nslcd side is this:

Jan  9 02:23:37 sigilyph nslcd[15766]: [bbd95a] <pwmod="elizabeth">
ldap_passwd_s() with old password failed: Constraint violation: Password
policy only allows one password value

On the slapd side, I get this:

8<----- SNIP ----->8
Jan  9 02:38:56 uxie slapd[17129]: conn=1471 op=23 SRCH
base="ou=people,dc=glpgs,dc=io" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=elizabeth))"
Jan  9 02:38:56 uxie slapd[17129]: conn=1471 op=23 SRCH attr=uidNumber
cn gecos uid objectClass homeDirectory gidNumber loginShell
Jan  9 02:38:56 uxie slapd[17129]: conn=1471 op=23 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan  9 02:38:58 uxie slapd[17129]: conn=1471 op=24 SRCH
base="ou=people,dc=glpgs,dc=io" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=elizabeth))"
Jan  9 02:38:58 uxie slapd[17129]: conn=1471 op=24 SRCH attr=uid uidNumber
Jan  9 02:38:58 uxie slapd[17129]: conn=1471 op=24 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan  9 02:38:58 uxie slapd[17129]: conn=1499 fd=22 ACCEPT from
IP=[fd39:6dc0:9261:b::1]:51548 (IP=[::]:636)
Jan  9 02:38:58 uxie slapd[17129]: conn=1499 fd=22 TLS established
tls_ssf=256 ssf=256
Jan  9 02:38:58 uxie slapd[17129]: conn=1499 op=0 BIND
dn="uid=elizabeth,ou=people,dc=glpgs,dc=io" method=128
Jan  9 02:38:58 uxie slapd[17129]: conn=1499 op=0 BIND
dn="uid=elizabeth,ou=people,dc=glpgs,dc=io" mech=SIMPLE ssf=0
Jan  9 02:38:58 uxie slapd[17129]: conn=1499 op=0 RESULT tag=97 err=0 text=
Jan  9 02:38:58 uxie slapd[17129]: conn=1499 op=1 SRCH
base="uid=elizabeth,ou=people,dc=glpgs,dc=io" scope=0 deref=0
filter="(objectClass=*)"
Jan  9 02:38:58 uxie slapd[17129]: conn=1499 op=1 SRCH attr=dn
Jan  9 02:38:58 uxie slapd[17129]: conn=1499 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan  9 02:38:58 uxie slapd[17129]: conn=1499 op=2 ABANDON msg=2
Jan  9 02:38:58 uxie slapd[17129]: conn=1499 op=3 UNBIND
Jan  9 02:38:58 uxie slapd[17129]: conn=1499 fd=22 closed
Jan  9 02:38:58 uxie slapd[17129]: conn=1471 op=25 SRCH
base="ou=people,dc=glpgs,dc=io" scope=2 deref=0
filter="(&(objectClass=shadowAccount)(uid=elizabeth))"
Jan  9 02:38:58 uxie slapd[17129]: conn=1471 op=25 SRCH attr=shadowFlag
shadowMax shadowMin shadowLastChange uid shadowExpire shadowInactive
shadowWarning
Jan  9 02:38:58 uxie slapd[17129]: conn=1471 op=25 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan  9 02:38:58 uxie slapd[17129]: conn=1471 op=26 ABANDON msg=26
Jan  9 02:38:58 uxie slapd[17129]: conn=1481 op=8 SRCH
base="ou=people,dc=glpgs,dc=io" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=elizabeth))"
Jan  9 02:38:58 uxie slapd[17129]: conn=1481 op=8 SRCH attr=uidNumber cn
gecos uid objectClass homeDirectory gidNumber loginShell
Jan  9 02:38:58 uxie slapd[17129]: conn=1481 op=8 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan  9 02:39:06 uxie slapd[17129]: conn=1045 op=217 SRCH
base="ou=people,dc=glpgs,dc=io" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=root))"
Jan  9 02:39:06 uxie slapd[17129]: conn=1045 op=217 SRCH attr=uid uidNumber
Jan  9 02:39:06 uxie slapd[17129]: conn=1045 op=217 SEARCH RESULT
tag=101 err=0 nentries=0 text=
Jan  9 02:39:06 uxie slapd[17129]: conn=1045 op=218 SRCH
base="ou=groups,dc=glpgs,dc=io" scope=2 deref=0
filter="(&(objectClass=posixGroup)(memberUid=root))"
Jan  9 02:39:06 uxie slapd[17129]: conn=1045 op=218 SRCH attr=cn gidNumber
Jan  9 02:39:06 uxie slapd[17129]: conn=1045 op=218 SEARCH RESULT
tag=101 err=0 nentries=0 text=
Jan  9 02:39:08 uxie slapd[17129]: conn=1481 op=9 SRCH
base="ou=people,dc=glpgs,dc=io" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=elizabeth))"
Jan  9 02:39:08 uxie slapd[17129]: conn=1481 op=9 SRCH attr=uid uidNumber
Jan  9 02:39:08 uxie slapd[17129]: conn=1481 op=9 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan  9 02:39:08 uxie slapd[17129]: conn=1481 op=10 SRCH
base="ou=people,dc=glpgs,dc=io" scope=2 deref=0
filter="(&(objectClass=shadowAccount)(uid=elizabeth))"
Jan  9 02:39:08 uxie slapd[17129]: conn=1481 op=10 SRCH attr=shadowFlag
shadowMax shadowMin shadowLastChange uid shadowExpire shadowInactive
shadowWarning
Jan  9 02:39:08 uxie slapd[17129]: conn=1481 op=10 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan  9 02:39:08 uxie slapd[17129]: conn=1500 fd=22 ACCEPT from
IP=[fd39:6dc0:9261:b::1]:51550 (IP=[::]:636)
Jan  9 02:39:08 uxie slapd[17129]: conn=1500 fd=22 TLS established
tls_ssf=256 ssf=256
Jan  9 02:39:08 uxie slapd[17129]: conn=1500 op=0 BIND
dn="uid=elizabeth,ou=people,dc=glpgs,dc=io" method=128
Jan  9 02:39:08 uxie slapd[17129]: conn=1500 op=0 BIND
dn="uid=elizabeth,ou=people,dc=glpgs,dc=io" mech=SIMPLE ssf=0
Jan  9 02:39:08 uxie slapd[17129]: conn=1500 op=0 RESULT tag=97 err=0 text=
Jan  9 02:39:08 uxie slapd[17129]: conn=1500 op=1 SRCH
base="uid=elizabeth,ou=people,dc=glpgs,dc=io" scope=0 deref=0
filter="(objectClass=posixAccount)"
Jan  9 02:39:08 uxie slapd[17129]: conn=1500 op=1 SRCH attr=uid uidNumber
Jan  9 02:39:08 uxie slapd[17129]: conn=1500 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jan  9 02:39:08 uxie slapd[17129]: conn=1500 op=2 ABANDON msg=2
Jan  9 02:39:08 uxie slapd[17129]: conn=1500 op=3 EXT
oid=1.3.6.1.4.1.4203.1.11.1
Jan  9 02:39:08 uxie slapd[17129]: conn=1500 op=3 PASSMOD
id="uid=elizabeth,ou=people,dc=glpgs,dc=io" new
Jan  9 02:39:08 uxie slapd[17129]: conn=1500 op=3 RESULT oid= err=19
text=Password policy only allows one password value
Jan  9 02:39:08 uxie slapd[17129]: conn=1500 op=4 EXT
oid=1.3.6.1.4.1.4203.1.11.1
Jan  9 02:39:08 uxie slapd[17129]: conn=1500 op=4 PASSMOD
id="uid=elizabeth,ou=people,dc=glpgs,dc=io" old new
Jan  9 02:39:08 uxie slapd[17129]: conn=1500 op=4 RESULT oid= err=19
text=Password policy only allows one password value
Jan  9 02:39:08 uxie slapd[17129]: conn=1500 op=5 UNBIND
Jan  9 02:39:08 uxie slapd[17129]: conn=1500 fd=22 closed
Jan  9 02:39:08 uxie slapd[17129]: conn=1481 op=11 ABANDON msg=11
8<----- SNIP ----->8

Regards,
Elizabeth

Reply via email to