-1

becase I installed a ldap server, I am making a server client authentication for server users but having problem with password thing. if I put a password in add ldif file and put some encoding tag in front of the password like {crypt}somepassword and add it to ldap as new user it works. but if I try to change password with the commands ldappasswd it says

ldappasswd user
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
    additional info: SASL(-13): user not found: no secret in database

if I try with -x parameter then says

ldappasswd user -x
Result: Strong(er) authentication required (8)
Additional info: only authenticated users may change passwords

and ldapsetpasswd changing password but password does not work.

edib
  • 213
  • 3
  • 13

1 Answers1

1

Your ldap server is offering SASL methods it probably shouldn't.

If you want to simple bind (-x) instead of using SASL you should also use -ZZ to require STARTTLS. Simple binds also require that the dn is specified with -D and the password with either -w <password> or -W, which will generate a prompt.

However, you should edit whatever Ubuntu's equivlent of /etc/sasl2/slapd.conf to exclude SASL methods you don't support.

mech_list: external plain

Also: You should really glue password changing in with pam-ldap so that users can change their passwords with passwd.

Side Note: {crypt} is probably inadvisable. If you want to store credentials directly in LDAP you should probably use {SSHA}

84104
  • 12,905
  • 6
  • 45
  • 76