http://bugzilla.novell.com/show_bug.cgi?id=546398 Summary: Changing LDAP password fails with "pam_ldap: ldap_extended_operation_s Protocol error" Classification: openSUSE Product: openSUSE 11.0 Version: Final Platform: i386 OS/Version: openSUSE 11.0 Status: NEW Severity: Normal Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: syseng@adnovum.ch QAContact: qa@suse.de Found By: --- User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 *SIGH* LDAP client behaviour has changed (again) with OpenSUSE 11.0 ... The following configuration worked fine for OpenSUSE 10.3 and Sun Directory Server 5.2 with Replicas: # cat /etc/ldap.conf uri ldaps://ldap.example.com:636 base dc=example,dc=com scope one ldap_version 3 ssl on tls_reqcert never tls_checkpeer no tls_crlcheck none binddn cn=proxyagent,ou=special_users,dc=example,dc=com bindpw ************ debug 0 timelimit 30 bind_timelimit 30 bind_policy soft idle_timelimit 60 pam_lookup_policy yes pam_password exop nss_initgroups_ignoreusers root,ldap nss_schema rfc2307bis nss_map_attribute uniqueMember member nss_base_passwd ou=people,dc=example,dc=com nss_base_shadow ou=people,dc=example,dc=com nss_base_group ou=group,dc=example,dc=com nss_base_hosts ou=hosts,dc=example,dc=com nss_base_services ou=services,dc=example,dc=com nss_base_networks ou=networks,dc=example,dc=com nss_base_protocols ou=protocols,dc=example,dc=com nss_base_rpc ou=rpc,dc=example,dc=com nss_base_ethers ou=ethers,dc=example,dc=com nss_base_netmasks ou=networks,dc=example,dc=com nss_base_netgroup ou=netgroup,dc=example,dc=com # cat /etc/nsswitch.conf passwd: compat group: files ldap hosts: files dns networks: files services: files ldap protocols: files rpc: files ethers: files netmasks: files netgroup: files ldap publickey: files bootparams: files automount: files ldap aliases: files ldap passwd_compat: ldap # cat /etc/security/pam_unix2.conf auth: use_ldap nullok account: use_ldap password: use_ldap nullok session: none This is NEW introduced with Suse 11.0: # cat /etc/pam.d/common-account-pc account requisite pam_unix2.so account sufficient pam_localuser.so account required pam_ldap.so use_first_pass # cat /etc/pam.d/common-auth-pc auth required pam_env.so auth sufficient pam_unix2.so auth required pam_ldap.so use_first_pass # cat /etc/pam.d/common-password-pc password requisite pam_pwcheck.so nullok cracklib remember= no_obscure_checks password sufficient pam_unix2.so use_authtok nullok password required pam_ldap.so try_first_pass use_authtok # cat /etc/pam.d/common-session-pc session required pam_limits.so session required pam_unix2.so session optional pam_ldap.so session optional pam_umask.so Using the above configuration everything except changing the LDAP password with the 'passwd' command works fine. This also worked fine with OpenSUSE 10.3 and SLES 10 SP2. With OpenSUSE 11.0 the following error occurs: bernd@adnws007:~> passwd Changing password for bernd. Enter login(LDAP) password: New Password: Reenter New Password: LDAP password information update failed: Protocol error passwd: Permission denied adnws007:~ # cat /var/log/messages Oct 13 10:06:39 adnws007 passwd[6665]: pam_unix2(passwd:chauthtok): user "bernd" does not exist in /etc/passwd or NIS Oct 13 10:06:39 adnws007 passwd[6665]: pam_unix2(passwd:chauthtok): user "bernd" does not exist in /etc/passwd or NIS Oct 13 10:06:50 adnws007 passwd[6665]: pam_ldap: ldap_extended_operation_s Protocol error Oct 13 10:06:50 adnws007 passwd[6665]: User bernd: Permission denied Oct 13 10:06:50 adnws007 passwd[6665]: password change failed, pam error 6 - account=bernd, uid=3031, by=3031 Sun Directory Server 5.2 reports an invalid LDAP extension: [13/Oct/2009:09:44:05 +0200] conn=6037 op=8 msgId=9 - BIND dn="uid=bernd,ou=people,o=adnovum,c=ch" method=128 version=3 [13/Oct/2009:09:44:05 +0200] conn=6037 op=8 msgId=9 - RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=bernd,ou=people,o=adnovum,c=ch" [13/Oct/2009:09:44:05 +0200] conn=6037 op=9 msgId=10 - EXT oid="1.3.6.1.4.1.4203.1.11.1" [13/Oct/2009:09:44:05 +0200] conn=6037 op=9 msgId=10 - RESULT err=2 tag=120 nentries=0 etime=0 How can one fix this and enable the good old behaviour that worked fine for years? Thanks in advance. Regards, Bernd Reproducible: Always Steps to Reproduce: 1. Setup Sun Directory Server 5.2 2. Configure OpenSUSE 11.0 with LDAP as naming service 3. Change LDAP user password with 'passwd' 4. Compare to SUSE 10.3 / SLES 10 Actual Results: LDAP password information update failed: Protocol error Expected Results: LDAP password information changed for bernd -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.