Hello Folks!
Using Centos/RHEL 5.5 and virtualmin GPL installed through the installation script available. "2.6.18-194.11.1.el5 #1 SMP Tue Aug 10 19:09:06 EDT 2010 i686 i686 i386 GNU/Linux"
When using OpenLDAP and Pam it is impossible to change password after it has expired.
All packages regarding LDAP is taken down using ym, no source packages or similar tweaking.
Usermin pop up the dialogue to change password at login. When enter the old and new password two times, it arrives an error: "Failed to change password : PAM error : LDAP Password incorrect: try again"
It works when doing login from ssh as that user, but not from within usermin. Also you can change password from within usermin when it has not expired.
I have testing it on several various installations to, it is allways the same error when password has expired.
All settings in usermin + webmin + virtualmin is accordingly the book as far of ours knowledge to use LDAP. All works exept password expired part.
I am not so good in perl so I was not able to follow the coding which set password in password_change.cgi so it is very hard for me to track deeper what it can depend on.
Following the ldap logs confirm that there is some binding problem, it is very log so I chopped of first part: Aug 21 21:09:44 marble slapd[442]: conn=112 op=7 RESULT tag=97 err=0 text= Aug 21 21:09:44 marble slapd[442]: conn=112 op=8 BIND anonymous mech=implicit ssf=0 Aug 21 21:09:44 marble slapd[442]: conn=112 op=8 BIND dn="uid=kalle,dc=Users,dc=unix,o=Edu" method=128 Aug 21 21:09:44 marble slapd[442]: conn=112 op=8 RESULT tag=97 err=49 text= Aug 21 21:09:44 marble slapd[442]: conn=112 op=9 BIND dn="cn=Manager,dc=unix,o=Edu" method=128 Aug 21 21:09:44 marble slapd[442]: conn=112 op=9 BIND dn="cn=Manager,dc=unix,o=Edu" mech=SIMPLE ssf=0 Aug 21 21:09:44 marble slapd[442]: conn=112 op=9 RESULT tag=97 err=0 text= Aug 21 21:09:44 marble slapd[442]: conn=112 op=10 UNBIND Aug 21 21:09:44 marble slapd[442]: conn=112 fd=21 closed Aug 21 21:09:44 marble slapd[442]: conn=111 fd=18 closed (connection lost) Aug 21 21:09:44 marble slapd[442]: conn=109 fd=13 closed (connection lost)
ACL in OpenLDAP is as follows: access to attrs=userPassword by self write by anonymous auth by dn.base="cn=Manager,dc=unix,o=Edu" write by * none access to attrs=shadowLastChange by self write by * read access to * by self write by dn.base="cn=Manager,dc=unix,o=Edu" write by * read
/etc/pam.d/usermin:
%PAM-1.0auth include system-auth nullok account include system-auth password include system-auth session include system-auth
/etc/pam.d/system-auth:
%PAM-1.0 This file is auto-generated. User changes will be destroyed the next time authconfig is run.auth required pam_env.so auth required pam_tally2.so deny=5 onerr=fail unlock_time=1600 auth sufficient pam_ldap.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet
account sufficient pam_ldap.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_tally2.so
password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=0 lcredit=0 ocredit=0 password sufficient pam_ldap.so use_first_pass password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=10
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session sufficient pam_ldap.so auth required pam_deny.so account required pam_permit.so session required pam_unix.so password required pam_deny.so
/etc/ldap.conf host 127.0.0.1 base dc=unix,o=Edu timelimit 120 bind_timelimit 120 idle_timelimit 3600 pam_lookup_policy yes nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm rootbinddn cn=Manager,dc=unix,o=Edu nss_base_passwd dc=Users,dc=unix,o=Edu nss_base_group dc=Groups,dc=unix,o=Edu nss_base_shadow dc=Users,dc=unix,o=Edu pam_password exop
What can be the problem ?
Comments
Submitted by steen on Fri, 09/10/2010 - 16:21 Comment #1
The problem remains, is there nobody who can take a look on this very nasty bug ?
I had to do a workaround now by adding a link that appair when the bug comes up telling people to change password through another selfmade webside.
Submitted by JamieCameron on Fri, 09/10/2010 - 17:10 Comment #2
Sorry, I must have missed this bug.
Which page in Usermin are you able to successfully change the password on?
Also, does it help if you edit
/etc/usermin/config
and add the line :passwd_cmd=passwd
this will force the use of an external command to do the password change, rather than using PAM.
Submitted by steen on Sun, 09/19/2010 - 10:38 Comment #3
Hello Jamie!
I have tried to add passwd_cmd=passwd, today it did not help.
passwd from command line as logged in user works offcourse.
More information) In the /var/log/secure you find pam_unix complaining about the user does not exits i /etc/passwd.
I did change back the /etc/usermin/changepass/config and then I did a custom usermin.pam file removing all references to pam_unix only keeping pam_ldap and belonging.
Still same errors and same logfile errors.
It works to change password when logged in to usermin as a user, then there is no complainments or errors.
I will try tomorrow removing all things saying usermin should use pam and see if something is missing.
I am very sorry I do not know perl, if I could find it.
(Also I have noticed this problem on many other open source web-based interfaces and webmail system)
Submitted by JamieCameron on Sun, 09/19/2010 - 15:18 Comment #4
Ok .. please let us know what you find.
The file that does the password change when it has expired is
/usr/libexec/usermin/password_change.cgi
Submitted by steen on Mon, 09/20/2010 - 14:33 Comment #5
Hello Jamie!
The password change script is somewhat complicated for a beginner in perl :-)
This is my discovery's so far in the environment)
/etc/usermin/changepass/config: . . passwd_cmd=passwd . . smbpasswd=smbldap-passwd . . md5=1
Logfile output is this /var/log/secure: Sep 20 20:58:25 marble xec/usermin/password_change.cgi: pam_unix(passwd:chauthtok): user "kitaro" does not exist in /etc/passwd
It indicates that either pam_ldap was supplied with wrong user and/or password information so it did fall through in PAM to pam_unix. I did however remove all pam_unix in usermin pam file, it did not help, still same problem and log entry.
Also PAM_TALLY indicates something goes wrong when someone login with expired password, directly after the submitting the old + new password page arrives;
pam_tally2 --reset Login Failures Latest failure From kitaro 1 09/20/10 21:05:24 unknown
Submitted by JamieCameron on Mon, 09/20/2010 - 23:02 Comment #6
Does your
/etc/pam.d/passwd
file have an entry to use mod_ldap ?I assume that it must, if the
passwd
command works from the command line.Submitted by steen on Tue, 09/21/2010 - 13:17 Comment #7
Hello Jamie!
Yes it does and all other kind of password changes work when password is expired.
Okey, pam.d/passwd calls system-auth:
%PAM-1.0auth include system-auth account include system-auth password include system-auth
And system.auth contains pam_ldap:
%PAM-1.0 This file is auto-generated. User changes will be destroyed the next time authconfig is run.auth required pam_env.so auth required pam_tally2.so deny=5 onerr=fail unlock_time=300 auth sufficient pam_ldap.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet
account sufficient pam_ldap.so account required pam_unix.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_tally2.so
password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=0 lcredit=0 ocredit=0 password sufficient pam_ldap.so use_first_pass password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=10
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session sufficient pam_ldap.so auth required pam_deny.so account required pam_permit.so session required pam_unix.so password required pam_deny.so
Submitted by JamieCameron on Tue, 09/21/2010 - 19:33 Comment #8
About that
passwd_cmd=/usr/bin/passwd
line - did you add it to/etc/usermin/config
?Above you mentioned it being in
/etc/usermin/changepass/config
Submitted by steen on Thu, 09/23/2010 - 14:17 Comment #9
Hello Jamie!
Okey, almost there very close to final working solution now! :-)
FYI. when we are done and have this working we will as next step buy the virtualmin-pro for our business!
This time the password was successfully changed in LDAP.
BUT it did NOT change the user IMAP password stored in inbox.imap so it still fails, neither did it change the smbldap password.
I assume I have to wrap the passwd command to make it work fully, question then comes what arguments is sent from usermin "passwd_cmd=/usr/bin/passwd" ?
This is how I did the wrapping, and it works in lab at least, but feels somewhat unsafe and lacks a lot of normal passwd command functions:
/etc/usermin/config: . . passwd_cmd=/usr/local/scripts/wpass.sh . .
/usr/local/scripts/wpass.sh:
!/bin/bash Faking passwd command.echo -ne "New old password:" read -s p echo -ne "\nNew UNIX password:" read -s p1 echo -ne "\nEnter New password again:" read -s p2
Changing ldap and smb passwords/usr/local/bin/smbldap-passwd-script $1 $p2 if [ $? -gt 0 ]; then echo -e "\nPassword change failed" exit 1; else
Correcting the user inbox.imap password.fi
/usr/local/scripts/upass.sh:
!/bin/sh Change usermin imap password fileU=
echo $(eval echo ~$1)
; PASS=grep pass $U/.usermin/mailbox/inbox.imap
cat $U/.usermin/mailbox/inbox.imap | sed "s/$PASS/pass=$2/g" >$U/.usermin/mailbox/inbox.imap.tmp mv $U/.usermin/mailbox/inbox.imap.tmp $U/.usermin/mailbox/inbox.imap G=id -gn $1
; chown $1:$G $U/.usermin/mailbox/inbox.imap chmod og-rw $U/.usermin/mailbox/inbox.imapThe /usr/local/bin/smbldap-passwd-script is a hacked variant of smbldap-tool similar command, but this takes username and password as attribute to change password for both ldap unix logins and samba.
If I have been clever enough to coding in perl or c, I would make a much better wrapper.
Big question is now, is there a predefined way to do this without all the wrapping, I prefere standard solutions and this is what we call a quick and dirty hack ?
Submitted by JamieCameron on Thu, 09/23/2010 - 22:55 Comment #10
The password command gets run as root, with the username as a parameter. Usermin then expects it to prompt for the old and new passwords, as the
passwd
command does normally ..I presume that on your system you can run
passwd USERNAME
as root and it works OK?Submitted by steen on Fri, 09/24/2010 - 15:52 Comment #11
Yes! passwd command works ok.
I had to wrap the passwd command in order to add function to also change the $HOME/.usermin/mailbox/inbox.imap file to reflect th IMAP password for mail.
If there is another way to do that part it would be nice.
In any cases my wrapping works, it emulates passwd questions and pass the parameters to smbldap-passwd and some unix commands fixing inbox.imap file.
Submitted by steen on Sat, 09/25/2010 - 10:17 Comment #12
I did some more checkouts.
It works yes, but there are some nasty things.I tested both using unix passwd commands and the wrapped variant.
For both unix passwd command and the wrapped variant)
Something must be missing here, I guess it is because root runs the passwd command, and all rules are overrided.
Password complexy rules must work when users login and change passwords.
Submitted by JamieCameron on Sun, 09/26/2010 - 02:00 Comment #13
So does your wrapper script end up calling the real
passwd
command, and if so does it work OK?Submitted by JamieCameron on Sun, 09/26/2010 - 02:00 Comment #14
So does your wrapper script end up calling the real
passwd
command, and if so does it work OK?Submitted by JamieCameron on Sun, 09/26/2010 - 02:05 Comment #15
So does your wrapper script end up calling the real
passwd
command, and if so does it work OK?Submitted by JamieCameron on Sun, 09/26/2010 - 02:05 Comment #16
So does your wrapper script end up calling the real
passwd
command, and if so does it work OK?Submitted by steen on Wed, 10/06/2010 - 13:42 Comment #17
Hello again!
No, the wrapper script does not call passwd command in ent, it has to do all the checkouts and in end calling a modified version of smbldap-passwd plus a script who modifies also inbox.imap.
Also I have successfully been using slappasswd, if you enable and configure ldap ppolicy it also respect that, but you still have to wrap it. But there was other problems with ppolicy and other appliations.
And yes, it works with passwd command only to, but with the following issues: 1. It does not respect password complexity rules at all, you can enter 123456 as password. 2. It does not change the password in $HOME/.usermin/mailbox/inbox.imap
The passwd command from command line works to, it respects password complexity etc.
So I guess I am stuck with the wrapper script until someone nice person do something about it.
Submitted by JamieCameron on Thu, 10/07/2010 - 00:55 Comment #18
So what confuses me is why does the passwd command work from the command line, but not when run by usermin?
Submitted by steen on Thu, 10/07/2010 - 13:06 Comment #19
I think we did misunderstand eachother.
In comment 9 above. I did wrote passwd changes correctly if doing as you say in comment 9. (passwd_cmd=/usr/bin/passwd line - did you add it to /etc/usermin/config)
There are one known big issue with that:
It does not respect password policy from PAM, any password willl do, most likely cause is that the passwd command is executed as root, not the user himself!!
A minor issue is that it does not change the POP3 password stored in $HOME/.usermin/mailbox/inbox.imap
I could live with the minor issue, but not the big issue.