Cannot change LDAP password when ldap_pwd_policy=shadow
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sssd (Debian) |
New
|
Unknown
|
|||
sssd (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Package: sssd
Version: 1.8.6-0ubuntu0.3
Severity: Critical
Sssd refuses to change user's password when ldap_pwd_policy is set to shadow
and LDAP server has disabled password policies support.
Changing ldap_pwd_policy to none in sssd.conf fixes the problem but disables password expiration.
Enabling ppolicy module and configuring ppolicy overlay in slapd also fixes the problem.
Conditions:
- sssd.conf settings:
id_provider = ldap
access_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_pwd_policy = shadow
- user has shadowAccount attributes,
- slapd has ppolicy module disabled,
- slapd has ppolicy overlay disabled.
sssd debug output
(Wed Jan 28 15:41:48 2015) [sssd[be[default]]] [sdap_pam_
(Wed Jan 28 15:41:48 2015) [sssd[be[default]]] [fo_resolve_
(Wed Jan 28 15:41:48 2015) [sssd[be[default]]] [be_resolve_
(Wed Jan 28 15:41:48 2015) [sssd[be[default]]] [fo_set_
(Wed Jan 28 15:41:48 2015) [sssd[be[default]]] [set_server_
(Wed Jan 28 15:41:48 2015) [sssd[be[default]]] [simple_bind_send] (0x0100): Executing simple bind as: uid=srj,
(Wed Jan 28 15:41:48 2015) [sssd[be[default]]] [simple_bind_done] (0x0200): Server returned no controls.
(Wed Jan 28 15:41:48 2015) [sssd[be[default]]] [simple_bind_done] (0x0080): Bind result: Success(0), no errmsg set
(Wed Jan 28 15:41:48 2015) [sssd[be[default]]] [sdap_auth4chpa
(Wed Jan 28 15:41:48 2015) [sssd[be[default]]] [be_pam_
(Wed Jan 28 15:41:48 2015) [sssd[be[default]]] [be_pam_
slapd debug output:
> slap_access_
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: result was in cache (memberUid)
=> access_allowed: result was in cache (memberUid)
=> access_allowed: result was in cache (memberUid)
=> access_allowed: result was in cache (memberUid)
=> access_allowed: result was in cache (memberUid)
=> access_allowed: result was in cache (memberUid)
=> access_allowed: result was in cache (memberUid)
=> access_allowed: result was in cache (memberUid)
=> access_allowed: result was in cache (memberUid)
=> access_allowed: result was in cache (memberUid)
=> access_allowed: result was in cache (memberUid)
=> access_allowed: result not in cache (modifyTimestamp)
=> access_allowed: read access to "cn=hamiltonbh,
=> dn: [3]
=> acl_get: [4] attr modifyTimestamp
=> acl_mask: access to entry "cn=hamiltonbh,
=> acl_mask: to value by "cn=view,
<= check a_dn_pat: cn=admin,
<= check a_dn_pat: cn=root,
<= check a_dn_pat: cn=root2,
<= check a_dn_pat: cn=view,
<= acl_mask: [4] applying read(=rscxd) (stop)
<= acl_mask: [4] mask: read(=rscxd)
=> slap_access_
=> access_allowed: read access granted by read(=rscxd)
slap_global_
=> access_allowed: result not in cache (userPassword)
=> access_allowed: auth access to "uid=srj,
=> acl_get: [2] attr userPassword
=> acl_mask: access to entry "uid=srj,
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: cn=admin,
<= check a_dn_pat: cn=root,
<= check a_dn_pat: cn=root2,
<= check a_dn_pat: uid=nobody,
<= check a_dn_pat: anonymous
<= acl_mask: [5] applying auth(=xd) (stop)
<= acl_mask: [5] mask: auth(=xd)
=> slap_access_
=> access_allowed: auth access granted by auth(=xd)
=> access_allowed: result not in cache (userPassword)
=> access_allowed: auth access to "cn=root2,
=> acl_get: [2] attr userPassword
=> acl_mask: access to entry "cn=root2,
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: cn=admin,
<= check a_dn_pat: cn=root,
<= check a_dn_pat: cn=root2,
<= check a_dn_pat: uid=nobody,
<= check a_dn_pat: anonymous
<= acl_mask: [5] applying auth(=xd) (stop)
<= acl_mask: [5] mask: auth(=xd)
=> slap_access_
=> access_allowed: auth access granted by auth(=xd)
=> access_allowed: search access to "dc=xxx,dc=eu" "entry" requested
Changed in sssd (Debian): | |
status: | Unknown → New |
tags: | added: precise |
Here is the most important part of the log: ss_done] (0x0020): Changing shadow password attributes not implemented.
(Wed Jan 28 15:41:48 2015) [sssd[be[default]]] [sdap_auth4chpa
The functionality you request is simply not implemented. Because shadow attributes are inherently insecure and obsolete, I don't see us implementing this functionality ourselves. Patches welcome, though!