[Bug 546398] New: Changing LDAP password fails with "pam_ldap: ldap_extended_operation_s Protocol error"
http://bugzilla.novell.com/show_bug.cgi?id=546398 Summary: Changing LDAP password fails with "pam_ldap: ldap_extended_operation_s Protocol error" Classification: openSUSE Product: openSUSE 11.0 Version: Final Platform: i386 OS/Version: openSUSE 11.0 Status: NEW Severity: Normal Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: syseng@adnovum.ch QAContact: qa@suse.de Found By: --- User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 *SIGH* LDAP client behaviour has changed (again) with OpenSUSE 11.0 ... The following configuration worked fine for OpenSUSE 10.3 and Sun Directory Server 5.2 with Replicas: # cat /etc/ldap.conf uri ldaps://ldap.example.com:636 base dc=example,dc=com scope one ldap_version 3 ssl on tls_reqcert never tls_checkpeer no tls_crlcheck none binddn cn=proxyagent,ou=special_users,dc=example,dc=com bindpw ************ debug 0 timelimit 30 bind_timelimit 30 bind_policy soft idle_timelimit 60 pam_lookup_policy yes pam_password exop nss_initgroups_ignoreusers root,ldap nss_schema rfc2307bis nss_map_attribute uniqueMember member nss_base_passwd ou=people,dc=example,dc=com nss_base_shadow ou=people,dc=example,dc=com nss_base_group ou=group,dc=example,dc=com nss_base_hosts ou=hosts,dc=example,dc=com nss_base_services ou=services,dc=example,dc=com nss_base_networks ou=networks,dc=example,dc=com nss_base_protocols ou=protocols,dc=example,dc=com nss_base_rpc ou=rpc,dc=example,dc=com nss_base_ethers ou=ethers,dc=example,dc=com nss_base_netmasks ou=networks,dc=example,dc=com nss_base_netgroup ou=netgroup,dc=example,dc=com # cat /etc/nsswitch.conf passwd: compat group: files ldap hosts: files dns networks: files services: files ldap protocols: files rpc: files ethers: files netmasks: files netgroup: files ldap publickey: files bootparams: files automount: files ldap aliases: files ldap passwd_compat: ldap # cat /etc/security/pam_unix2.conf auth: use_ldap nullok account: use_ldap password: use_ldap nullok session: none This is NEW introduced with Suse 11.0: # cat /etc/pam.d/common-account-pc account requisite pam_unix2.so account sufficient pam_localuser.so account required pam_ldap.so use_first_pass # cat /etc/pam.d/common-auth-pc auth required pam_env.so auth sufficient pam_unix2.so auth required pam_ldap.so use_first_pass # cat /etc/pam.d/common-password-pc password requisite pam_pwcheck.so nullok cracklib remember= no_obscure_checks password sufficient pam_unix2.so use_authtok nullok password required pam_ldap.so try_first_pass use_authtok # cat /etc/pam.d/common-session-pc session required pam_limits.so session required pam_unix2.so session optional pam_ldap.so session optional pam_umask.so Using the above configuration everything except changing the LDAP password with the 'passwd' command works fine. This also worked fine with OpenSUSE 10.3 and SLES 10 SP2. With OpenSUSE 11.0 the following error occurs: bernd@adnws007:~> passwd Changing password for bernd. Enter login(LDAP) password: New Password: Reenter New Password: LDAP password information update failed: Protocol error passwd: Permission denied adnws007:~ # cat /var/log/messages Oct 13 10:06:39 adnws007 passwd[6665]: pam_unix2(passwd:chauthtok): user "bernd" does not exist in /etc/passwd or NIS Oct 13 10:06:39 adnws007 passwd[6665]: pam_unix2(passwd:chauthtok): user "bernd" does not exist in /etc/passwd or NIS Oct 13 10:06:50 adnws007 passwd[6665]: pam_ldap: ldap_extended_operation_s Protocol error Oct 13 10:06:50 adnws007 passwd[6665]: User bernd: Permission denied Oct 13 10:06:50 adnws007 passwd[6665]: password change failed, pam error 6 - account=bernd, uid=3031, by=3031 Sun Directory Server 5.2 reports an invalid LDAP extension: [13/Oct/2009:09:44:05 +0200] conn=6037 op=8 msgId=9 - BIND dn="uid=bernd,ou=people,o=adnovum,c=ch" method=128 version=3 [13/Oct/2009:09:44:05 +0200] conn=6037 op=8 msgId=9 - RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=bernd,ou=people,o=adnovum,c=ch" [13/Oct/2009:09:44:05 +0200] conn=6037 op=9 msgId=10 - EXT oid="1.3.6.1.4.1.4203.1.11.1" [13/Oct/2009:09:44:05 +0200] conn=6037 op=9 msgId=10 - RESULT err=2 tag=120 nentries=0 etime=0 How can one fix this and enable the good old behaviour that worked fine for years? Thanks in advance. Regards, Bernd Reproducible: Always Steps to Reproduce: 1. Setup Sun Directory Server 5.2 2. Configure OpenSUSE 11.0 with LDAP as naming service 3. Change LDAP user password with 'passwd' 4. Compare to SUSE 10.3 / SLES 10 Actual Results: LDAP password information update failed: Protocol error Expected Results: LDAP password information changed for bernd -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=546398
Marcus Meissner
http://bugzilla.novell.com/show_bug.cgi?id=546398
User rhafer@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=546398#c1
--- Comment #1 from Ralf Haferkamp
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2
*SIGH* LDAP client behaviour has changed (again) with OpenSUSE 11.0 ... The following configuration worked fine for OpenSUSE 10.3 and Sun Directory Server 5.2 with Replicas:
# cat /etc/ldap.conf [..] pam_password exop Your ldap-client is configured to use the "Change Password Extended Operation" for password changes.
[..]
Sun Directory Server 5.2 reports an invalid LDAP extension:
[13/Oct/2009:09:44:05 +0200] conn=6037 op=8 msgId=9 - BIND dn="uid=bernd,ou=people,o=adnovum,c=ch" method=128 version=3 [13/Oct/2009:09:44:05 +0200] conn=6037 op=8 msgId=9 - RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=bernd,ou=people,o=adnovum,c=ch" [13/Oct/2009:09:44:05 +0200] conn=6037 op=9 msgId=10 - EXT oid="1.3.6.1.4.1.4203.1.11.1" [13/Oct/2009:09:44:05 +0200] conn=6037 op=9 msgId=10 - RESULT err=2 tag=120 nentries=0 etime=0 But your server does not seem to support it.
How can one fix this and enable the good old behaviour that worked fine for years? Are you sure that you use the exact same configuration on SLES10/10.3? AFAIK yast2-ldap-client didn't set "pam_password exop" there. Please check if you LDAP Server supports that extension. If it doesn't try: pam_password crypt in /etc/ldap.conf. You can also do that with yast2 ldap-client (under Advanced Configuration). you can also try if this works: pam_password: exop_send_old
-- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=546398
User rhafer@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=546398#c4
Ralf Haferkamp
http://bugzilla.novell.com/show_bug.cgi?id=546398
User syseng@adnovum.ch added comment
http://bugzilla.novell.com/show_bug.cgi?id=546398#c5
--- Comment #5 from Bernd Nies
http://bugzilla.novell.com/show_bug.cgi?id=546398
User rhafer@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=546398#c6
Ralf Haferkamp
http://bugzilla.novell.com/show_bug.cgi?id=546398
http://bugzilla.novell.com/show_bug.cgi?id=546398#c
shuang qiu
http://bugzilla.novell.com/show_bug.cgi?id=546398
http://bugzilla.novell.com/show_bug.cgi?id=546398#c
Jiří Suchomel
http://bugzilla.novell.com/show_bug.cgi?id=546398
http://bugzilla.novell.com/show_bug.cgi?id=546398#c7
Jiří Suchomel
participants (1)
-
bugzilla_noreply@novell.com