Passwd -r ldap fails

Solaris 9 client and Solaris 10 x86 clients works fine.
But Solaris 10 (3/05) sparc version fails.
Config files are all the same.
One client is full patched and one has no patches, but the problem is steady.
#passwd -r ldap
passwd: Changing password for testuser
passwd: User unknown: testuser
Permission denied
Is this a well-known error?
gratefully for each assistance.

passwd in debug modus the following result
pam.conf:
passwd auth binding pam_passwd_auth.so.1 debug server_policy
passwd auth required pam_ldap.so.1 debug
passwd fails:
Jul 7 08:51:06 sol10sparc passwd[1339]: [ID 285619 auth.debug] ldap pam_sm_authenticate(passwd testuser), flags = 0
Jul 7 08:51:06 sol10sparc passwd[1339]: [ID 647000 auth.debug] ldap pam_sm_authenticate(passwd testuser), AUTHTOK not set
passwd works fine:
Jul 7 08:59:00 sol10x86 passwd[1191]: [ID 285619 auth.debug] ldap pam_sm_authenticate(passwd testuser), flags = 0

Similar Messages

  • User passwd -r ldap fails

    Solaris 9 client and Solaris 10 x86 clients works fine.
    But Solaris 10 (3/05) sparc version fails.
    #passwd -r ldap
    passwd: Changing password for testuser
    passwd: User unknown: testuser
    Permission denied
    I use same pam.conf and nsswitch.conf on all.
    All clients are initialized with the same ldap_profile and
    this works fine.
    I use pam.conf from
    http://docs.sun.com/app/docs/doc/816-4556/6maort2te?a=view
    The client does not seem to contact the server.
    If i monitored traffic, i cannot see packets.
    passwd in debug modus the following result
    pam.conf:
    passwd auth binding pam_passwd_auth.so.1 debug server_policy
    passwd auth required pam_ldap.so.1 debug
    passwd fails:
    Jul 7 08:51:06 sol10sparc passwd[1339]: [ID 285619 auth.debug] ldap pam_sm_authenticate(passwd testuser), flags = 0
    Jul 7 08:51:06 sol10sparc passwd[1339]: [ID 647000 auth.debug] ldap pam_sm_authenticate(passwd testuser), AUTHTOK not set
    passwd works fine:
    Jul 7 08:59:00 sol10x86 passwd[1191]: [ID 285619 auth.debug] ldap pam_sm_authenticate(passwd testuser), flags = 0
    One sparc client is full patched and one has no patches, but the problem is steady.
    Is this a well-known error?
    gratefully for each assistance.

    Just curious to know, if you were to comment out all "pam_unix_cred.so.1" lines in /etc/pam.conf, will it help?
    I knew this shared object file is only found in Solaris10, it is not found in Solaris8/9. You may "man pam_ldap" in Solaris10 to find out what this file is for.
    We are merely trying to use a working copy of pam.conf from Solaris8/9 in Solaris10.
    Gary

  • Help! - Bind Request to LDAP Failed

    Hi All,
    I'm Running XP and 9.2 and getting the Bind request to LDAP failed error when logging onto ODM. Ldapbind on the command line returns a message that it can not find the server. I've seen numerous postings on this problem and tried all the suggestions without luck. Does anyone have an explanation of what is going on and how to correct it.
    Thanks,
    Tom Burns

    Active Directory (AD) uses port 389 as default, I fixed my problem by changing my OID configuration set to use another port.
    Hope this could help you.

  • WLS 10.3 - Self Registration with External LDAP Fails (somewhat)

    I have a WLS 10.3.5 instance with WebCenter Spaces.
    I've added an OpenLDAP provider to the security realm, set the OpenLDAP provider and the default authenticator to "sufficient", and reordered the providers in the console to list the OpenLDAP provider first. I've also set "virtualize=true" via the enterprise manager interface, and added the <extendedProperty> attributes for "user.create.bases" and "group.create.bases" in the jps-config.xml file
    Using the self registration feature in Spaces, I fill in a proposed new user name, and select "check availability". The check returns "available".
    I finish the registration, and submit. I receive the following error, and the registration page remains on the screen:
    "User not created. Either the user name or the password does not adhere to the registration policy or the identity store is unavailable. Specify the required user credentials or contact your administrator for assistance." NO ERROR in the Spaces logs.
    But I look in OpenLDAP, and lo and behold, the user DID get created.
    So remember I still haven't left the registration page. Clicking the "check availability" button still returns "available".
    Now clicking the submit button throws the following message:
    "A user with the name <insert name entered previously in the "failed" registration> already exists. Choose another name."
    The following error is logged in the Spaces log:
    [WC_Spaces] [WARNING] [] [oracle.ods.virtualization.exception] [tid: [ACTIVE].ExecuteThread: '4' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: anonymous] [ecid: 004h0uRltQY9Dgh_x9h8iW0003qO0001rr,0:1] [APP: webcenter#11.1.1.4.0] [URI: /webcenter/faces/oracle/webcenter/page/scopedMD/s8bba98ff_4cbb_40b8_beee_296c916a23ed/businessRolePages/AppSelfRegistration.jspx] OVD-40077[[
    javax.naming.NameAlreadyBoundException: [LDAP: error code 68 - Entry Already Exists]; remaining name 'cn=<redacted>,ou=<redacted>,dc=<redacted>,dc=<redacted>,dc=<redacted>'
         at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3036)
         at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
         at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2794)
         at com.sun.jndi.ldap.LdapCtx.c_createSubcontext(LdapCtx.java:788)
         at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_createSubcontext(ComponentDirContext.java:319)
         at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.createSubcontext(PartialCompositeDirContext.java:248)
         at javax.naming.directory.InitialDirContext.createSubcontext(InitialDirContext.java:183)
         at oracle.ods.virtualization.engine.backend.jndi.ConnectionHandle.createSubcontext(ConnectionHandle.java:133)
         at oracle.ods.virtualization.engine.backend.jndi.BackendJNDI.add(BackendJNDI.java:457)
         at oracle.ods.virtualization.engine.chain.Chain.nextAdd(Chain.java:193)
         at oracle.ods.virtualization.engine.chain.BasePlugin.add(BasePlugin.java:67)
         at oracle.ods.virtualization.engine.chain.Chain.nextAdd(Chain.java:202)
         at oracle.ods.virtualization.engine.chain.BasePlugin.add(BasePlugin.java:67)
         at oracle.ods.virtualization.engine.chain.plugins.virtualattr.VirtualAttributePlugin.add(VirtualAttributePlugin.java:926)
         at oracle.ods.virtualization.engine.chain.Chain.nextAdd(Chain.java:202)
         at oracle.ods.virtualization.engine.chain.BasePlugin.add(BasePlugin.java:67)
         at oracle.ods.virtualization.engine.chain.plugins.usermanagement.UserManagement.add(UserManagement.java:531)
         at oracle.ods.virtualization.engine.chain.Chain.nextAdd(Chain.java:202)
         at oracle.ods.virtualization.engine.chain.PluginChain.runAdd(PluginChain.java:164)
         at oracle.ods.virtualization.engine.chain.PluginManager.runAdd(PluginManager.java:264)
         at oracle.ods.virtualization.engine.chain.PluginManager.runAdd(PluginManager.java:251)
         at oracle.ods.virtualization.engine.backend.AdapterServiceInterface.add(AdapterServiceInterface.java:240)
         at oracle.ods.virtualization.engine.backend.AdapterServiceInterface.add(AdapterServiceInterface.java:190)
         at oracle.ods.virtualization.engine.backend.BackendHandler.add(BackendHandler.java:329)
         at oracle.ods.virtualization.engine.chain.Chain.nextAdd(Chain.java:185)
         at oracle.ods.virtualization.engine.chain.BasePlugin.add(BasePlugin.java:67)
         at oracle.ods.virtualization.engine.chain.Chain.nextAdd(Chain.java:202)
         at oracle.ods.virtualization.engine.chain.PluginChain.runAdd(PluginChain.java:164)
         at oracle.ods.virtualization.engine.chain.PluginManager.runAdd(PluginManager.java:264)
         at oracle.ods.virtualization.engine.chain.PluginManager.runAdd(PluginManager.java:251)
         at oracle.ods.virtualization.engine.chain.GlobalServicesInterface.runAdd(GlobalServicesInterface.java:107)
         at oracle.ods.virtualization.operation.AddOperation.process(AddOperation.java:127)
         at oracle.ods.virtualization.service.DefaultVirtualizationSession.add(DefaultVirtualizationSession.java:148)
         at oracle.security.idm.providers.libovd.util.LibOVDRealm.createUser(LibOVDRealm.java:124)
         at oracle.security.idm.providers.libovd.LibOVDUserManager.createUser(LibOVDUserManager.java:177)
         at oracle.security.idm.providers.libovd.LibOVDUserManager.createUser(LibOVDUserManager.java:131)
         at oracle.webcenter.security.selfregistration.internal.view.backing.UserManagerBean.createUser(UserManagerBean.java:598)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
         at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
         at java.lang.reflect.Method.invoke(Method.java:597)
         at com.sun.el.parser.AstValue.invoke(Unknown Source)
         at com.sun.el.MethodExpressionImpl.invoke(Unknown Source)
         at org.apache.myfaces.trinidadinternal.taglib.util.MethodExpressionMethodBinding.invoke(MethodExpressionMethodBinding.java:53)
         at org.apache.myfaces.trinidad.component.UIXComponentBase.broadcastToMethodBinding(UIXComponentBase.java:1256)
         at org.apache.myfaces.trinidad.component.UIXCommand.broadcast(UIXCommand.java:183)
         at oracle.adf.view.rich.component.fragment.UIXRegion.broadcast(UIXRegion.java:148)
         at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:92)
         at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhase(ContextSwitchingComponent.java:361)
         at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:96)
         at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:102)
         at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent$1.run(ContextSwitchingComponent.java:92)
         at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent._processPhase(ContextSwitchingComponent.java:361)
         at oracle.adf.view.rich.component.fragment.ContextSwitchingComponent.broadcast(ContextSwitchingComponent.java:96)
         at oracle.adf.view.rich.component.fragment.UIXInclude.broadcast(UIXInclude.java:96)
         at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.broadcastEvents(LifecycleImpl.java:902)
         at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:313)
         at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:186)
         at javax.faces.webapp.FacesServlet.service(FacesServlet.java:265)
         at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
         at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
         at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
         at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
         at oracle.bi.nanserver.adf.servlet.BIADFServletFilter.doFilter(BIADFServletFilter.java:27)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
         at oracle.bi.presentation.runtime.binding.BIRegionBindingFilter.doFilter(BIRegionBindingFilter.java:40)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
         at oracle.portlet.client.adapter.adf.ADFPortletFilter.doFilter(ADFPortletFilter.java:32)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
         at oracle.webcenter.framework.events.dispatcher.EventDispatcherFilter.doFilter(EventDispatcherFilter.java:44)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
         at oracle.wcps.client.PersonalizationFilter.doFilter(PersonalizationFilter.java:75)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
         at oracle.webcenter.content.integration.servlets.ContentServletFilter.doFilter(ContentServletFilter.java:168)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
         at oracle.webcenter.generalsettings.model.provider.GeneralSettingsProviderFilter.doFilter(GeneralSettingsProviderFilter.java:85)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
         at oracle.webcenter.webcenterapp.internal.view.webapp.WebCenterShellPageRedirectionFilter.doFilter(WebCenterShellPageRedirectionFilter.java:250)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
         at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:205)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
         at oracle.webcenter.webcenterapp.internal.view.webapp.WebCenterShellFilter.doFilter(WebCenterShellFilter.java:696)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
         at oracle.adf.view.page.editor.webapp.WebCenterComposerFilter.doFilter(WebCenterComposerFilter.java:109)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
         at oracle.adf.share.http.ServletADFFilter.doFilter(ServletADFFilter.java:62)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
         at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:106)
         at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446)
         at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:60)
         at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:446)
         at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:271)
         at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:177)
         at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
         at oracle.adf.library.webapp.LibraryFilter.doFilter(LibraryFilter.java:175)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
         at oracle.webcenter.webcenterapp.internal.view.webapp.WebCenterLocaleWrapperFilter.processFilters(WebCenterLocaleWrapperFilter.java:335)
         at oracle.webcenter.webcenterapp.internal.view.webapp.WebCenterLocaleWrapperFilter.doFilter(WebCenterLocaleWrapperFilter.java:237)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
         at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
         at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
         at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
         at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
         at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
         at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
         at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:136)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
         at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:111)
         at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
         at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:413)
         at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:94)
         at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:161)
         at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
         at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
         at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
         at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3715)
         at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3681)
         at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
         at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
         at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2277)
         at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2183)
         at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1454)
         at weblogic.work.ExecuteThread.execute(ExecuteThread.java:209)
         at weblogic.work.ExecuteThread.run(ExecuteThread.java:178)
    Thoughts? Probably a simple config tweak, but it's not jumping out at me at the moment.
    Thanks in advance!

    Removed the <virtualize="true"> setting from Enterprise Manager, and the issue disappeared.

  • LDAP fails to start: main: TLS init def ctx failed: -1

    L.S.,
    I need help. Tonight I restarted the server and noticed that LDAP and Kerberos are not starting.
    The error log for the LDAP service shows me:
    main: TLS init def ctx failed: -1
    slapd stopped.
    connections_destroy: nothing to destroy.
    I read on the internet that it could have something to do with the security certificate so I generated a new self signed certificate but the didn't help.
    There is fairly little to find on this subject so any help is appreciated.
    Kind regards,
    Jan Lutterop

    What is the FQDN of your server ?
    See here:
    http://www.dreness.com/blog/archives/27
    In summary, for a server with FQDN logos.youserver.com
    using the Terminal, issue:
    sudo certadmin export logos.youserver.com
    sudo slapconfig -setldapconfig -ssl on -sslcert /etc/certificates/logos.youserver.com
    -sslkey /etc/certificates/logos.youserver.com -ssldomain logos.youserver.com
    Note the  above, that's so that the shell interprets the two lines as one (long one) as it should.

  • Change password through LDAP fails

    I have the standalone calendar server (9.0.4) installed using an openldap server for the account data. Operations generally seem to be working OK with logon activity and ldap lookups. However when trying to change the password using the windows client the application reports "Unable to access the directory server. Application will terminate." after which it closes.
    Simutaneously, watching openldap debug logs during the event I see this:
    Oct 20 14:10:45 cs slapd[2986]: => acl_mask: access to entry "cn=Test User One,ou=People,dc=department,dc=someuniversity,dc=edu", attr "userPassword" requested
    Oct 20 14:10:45 cs slapd[2986]: => acl_mask: to all values by "", (=n)
    Oct 20 14:10:45 cs slapd[2986]: <= check a_dn_pat: ou=oraclecalendaradministrator,dc=department,dc=someuniversity,dc=edu
    Oct 20 14:10:45 cs slapd[2986]: <= check a_dn_pat: self
    Oct 20 14:10:45 cs slapd[2986]: <= check a_dn_pat: users
    Oct 20 14:10:45 cs slapd[2986]: <= check a_dn_pat: anonymous
    Oct 20 14:10:45 cs slapd[2986]: <= acl_mask: [4] applying read(=rscx) (stop)
    Oct 20 14:10:45 cs slapd[2986]: <= acl_mask: [4] mask: read(=rscx)
    Oct 20 14:10:45 cs slapd[2986]: => access_allowed: auth access granted by read(=rscx)
    Oct 20 14:10:45 cs slapd[2986]: ====> cache_return_entry_r( 8 ): returned (0)
    Oct 20 14:10:45 cs slapd[2986]: conn=65 op=4 BIND dn="cn=Test User One,ou=People,dc=department,dc=someuniversity,dc=edu" mech=SIMPLE ssf=0
    Oct 20 14:10:45 cs slapd[2986]: do_bind: v3 bind: "cn=Test User One,ou=People,dc=department,dc=someuniversity,dc=edu" to "cn=Test User One,ou=People,dc=department,dc=someuniversity,dc=edu"
    Oct 20 14:10:45 cs slapd[2986]: send_ldap_result: conn=65 op=4 p=3
    Oct 20 14:10:45 cs slapd[2986]: send_ldap_result: err=0 matched="" text=""
    Oct 20 14:10:45 cs slapd[2986]: send_ldap_response: msgid=5 tag=97 err=0
    Oct 20 14:10:45 cs slapd[2986]: conn=65 op=4 RESULT tag=97 err=0 text=
    Oct 20 14:10:45 cs slapd[2986]: daemon: select: listen=6 active_threads=0 tvp=NULL
    Oct 20 14:10:45 cs slapd[2986]: daemon: activity on 1 descriptors
    Oct 20 14:10:45 cs slapd[2986]: daemon: activity on:
    Oct 20 14:10:45 cs slapd[2986]: 28r
    Oct 20 14:10:45 cs slapd[2986]:
    Oct 20 14:10:45 cs slapd[2986]: daemon: read activity on 28
    Oct 20 14:10:45 cs slapd[2986]: connection_get(28)
    Oct 20 14:10:45 cs slapd[2986]: connection_get(28): got connid=65
    Oct 20 14:10:45 cs slapd[2986]: connection_read(28): checking for input on id=65
    Oct 20 14:10:45 cs slapd[2986]: ber_get_next on fd 28 failed errno=11 (Resource temporarily unavailable)
    Oct 20 14:10:45 cs slapd[2986]: do_bind
    Oct 20 14:10:45 cs slapd[2986]: conn=65 op=5 BIND anonymous mech=implicit ssf=0
    Oct 20 14:10:45 cs slapd[2986]: >>> dnPrettyNormal: <ð^est User One,ou=People,dc=department,dc=someuniversity,dc=edu>
    Oct 20 14:10:45 cs slapd[2986]: bind: invalid dn (ð^est User One,ou=People,dc=department,dc=someuniversity,dc=edu)
    Oct 20 14:10:45 cs slapd[2986]: send_ldap_result: conn=65 op=5 p=3
    Oct 20 14:10:45 cs slapd[2986]: send_ldap_result: err=34 matched="" text="invalid DN"
    Oct 20 14:10:45 cs slapd[2986]: send_ldap_response: msgid=6 tag=97 err=34
    Oct 20 14:10:45 cs slapd[2986]: conn=65 op=5 RESULT tag=97 err=34 text=invalid DN
    Oct 20 14:10:45 cs slapd[2986]: daemon: select: listen=6 active_threads=0 tvp=NULL
    So, it's submitting an initially correct lookup for the test account but when it later submits the password updated it appears to substitute garbage for the first few characters. Getting the DAS debug log isn't much help, it does report this error:
    DATE = Wed Oct 20 14:14:40 2004
    PID = 5457; TID = 3059759840
    ERROR CODE -> 0x18001
    FUNCTION NAME -> ctldap_LDAPErrorMap
    LDAP ERROR -> 34
    LDAP ERROR MESSAGE -> Invalid DN syntax
    MATCHED DN ->
    SERVER ADDITIONAL INFO. -> invalid DN
    DATE = Wed Oct 20 14:14:40 2004
    PID = 5457; TID = 3059759840
    LOG TYPE -> TRACE
    EXITING -> ctldap_LDAPErrorMap
    returns 0x18001
    Is there anything I should look to about the weird LDAP substitutions? This looks pretty bizarre, I haven't seen such problems with any of the other operations.

    Do you have a :
    [LDAP]
    writedn = " "
    writednpassword = " "
    (note, you need to encrypt this using uniencrypt utility)
    [UTL]
    adm_moduserpassword = TRUE
    Try it then.
    Because a user has now write privileges to the LDAP it needs a mediator. That mediator is the writedn and writednpassword.
    Yours,
    Eli Benschop

  • LDAP failing for iPrint and iFolder after new CA created

    Last week we replaced our Certificate Authority as it was due to expire yesterday (Monday). It was currently running on a fully patches Netware 6.5 server and we took the decision to move it to a SLES 11 SP 2 OES 11 server and re-create all the certificates - following Option 2 for TID 3618399.
    We re-ran PKIDIAG on the Novell server and tckeygen, and restarted and everything seemed fine - Groupwise (8) webaccess and the PO using ldap auth were working. But this morning we've discovered that ldap is failing to do secure binds for iprint secure printers and iFolder. We see this error message in the log screen:
    >11:45:44 11:45:44 ldap *MASTER[xxxx.our-domain.com] connection restored
    >11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][-1] ldap_simple_bind : Can't contact LDAP server(81)
    >11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][0] ldap_simple_bind : Can't contact LDAP server(81)
    >11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][1] ldap_simple_bind : Can't contact LDAP server(81)
    >11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][2] ldap_simple_bind : Can't contact LDAP server(81)
    >11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][3] ldap_simple_bind : Can't contact LDAP server(81)
    >11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][4] ldap_simple_bind : Can't contact LDAP server(81)
    >11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][5] ldap_simple_bind : Can't contact LDAP server(81)
    >11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][6] ldap_simple_bind : Can't contact LDAP server(81)
    >11:45:44 11:45:44 iFolder_ldap01[xxxx.our-domain.com][7] ldap_simple_bind : Can't contact LDAP server(81)
    >11:45:44 11:45:44 ldap iFolder_ldap01[xxxx.our-domain.com] connection restored
    >11:46:41 11:46:41 iFolder_ldap01[xxxx.our-domain.com][-1] ldap_simple_bind: Can't contact LDAP server(81)
    >11:46:41 11:46:41 ldap iFolder_ldap01[xxxx.our-domain.com] down
    >11:46:41 11:46:41 ldap *MASTER[xxxx.our-domain.com] down
    and in the apache error log we see:
    [Tue Aug 27 11:30:08 2013] [error] [client 10.0.0.43] no acceptable variant: SYS:/apache2/error/HTTP_UNAUTHORIZED.html.var
    [Tue Aug 27 11:30:08 2013] [warn] [client 10.0.0.43] [10] auth_ldapdn authenticate: user bob authentication failed; URI /ipps/Ricoh [LDAP: ldap_simple_bind_s() failed][Can't contact LDAP server]
    Nothing else was charged other than creating a new CA (on a new server), removing the old one from eDirectory and generating the new certificates. If we use a web browser to the server to check the certificate we see that the CA cannot be validated as it is internal and not a publicly trusted one, but IIRC the old CA did the same.
    PKIDiag and SDIDiag report no issues. The only thing I can imagine that could be causing the issue is the fact the CA is no longer on the same server hosting iFolder and iPrint. Both server host eDirectory and are part of the same replica ring, they can communicate and also time is synchronised.
    Any ideas?
    Mark.

    Thanks for the quick response, I followed your trace settings above arnd here are the results:
    LDAP: [2013/08/27 12:42:12.701] Monitor 0x1ba terminating
    LDAP: [2013/08/27 12:42:12.798] Listener closing cleartext port 389
    LDAP: [2013/08/27 12:42:12.798] Listener closing TLS port 636
    LDAP: [2013/08/27 12:42:12.798] Listener closing connectionless port 389
    LDAP: [2013/08/27 12:42:12.802] Removing TLS module dependencies
    LDAP: [2013/08/27 12:42:12.802] Removing SASL module dependencies
    LDAP: [2013/08/27 12:42:12.907] LDAP Agent for Novell eDirectory 8.8 SP5 (20506.06) stopped
    LDAP: [2013/08/27 12:42:18.17] NDS attribute "staticMember" does not exist, mapping ignored
    LDAP: [2013/08/27 12:42:18.21] Duplicate LDAP class name: "alias" (ignored)
    LDAP: [2013/08/27 12:42:18.98] LDAP Agent for Novell eDirectory 8.8 SP5 (20506.06) started
    LDAP: [2013/08/27 12:42:18.98] Updating server configuration
    LDAP: [2013/08/27 12:42:18.98] Work info status: Total:2 Peak:2 Busy:0
    LDAP: [2013/08/27 12:42:18.98] Thread pool status: Total:2 Peak:2 Busy:2
    LDAP: [2013/08/27 12:42:18.218] Listener applying new configuration
    LDAP: [2013/08/27 12:42:18.218] LDAPURL: ldap://:389
    LDAP: [2013/08/27 12:42:18.218] Listener setting up cleartext port 389
    LDAP: [2013/08/27 12:42:18.218] LDAPURL: ldaps://:636
    LDAP: [2013/08/27 12:42:18.218] Listener setting up TLS port 636
    LDAP: [2013/08/27 12:42:18.218] LDAPURL: cldap://:389
    LDAP: [2013/08/27 12:42:18.218] Listener setting up connectionless port 389
    LDAP: [2013/08/27 12:42:18.218] TLS EXPORT ciphers or higher required for TLS connections
    LDAP: [2013/08/27 12:42:18.219] TLS initialization sucessfully completed
    LDAP: [2013/08/27 12:42:18.315] TLS configured successfully
    LDAP: [2013/08/27 12:42:18.327] Adding SASL module dependencies
    LDAP: [2013/08/27 12:42:18.329] SASL initialized successfully
    LDAP: [2013/08/27 12:42:18.329] SASL configured successfully
    LDAP: [2013/08/27 12:42:22.286] Created new monitor 0x0
    LDAP: [2013/08/27 12:42:22.286] Monitor 0x20b started
    LDAP: [2013/08/27 12:42:22.287] TLS accept failure 1 on connection 0xa284e160, setting err = -5875. Error stack: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42
    LDAP: [2013/08/27 12:42:22.287] TLS handshake failed on connection 0xa284e160, err = -5875
    LDAP: [2013/08/27 12:42:22.287] BIO ctrl called with unknown cmd 7
    LDAP: [2013/08/27 12:43:17.861] BIO ctrl called with unknown cmd 7
    LDAP: [2013/08/27 12:43:17.861] DoBind on connection 0xa284e160
    LDAP: [2013/08/27 12:43:17.861] Bind name:cn=admin,o=xxx, version:3, authentication:simple
    LDAP: [2013/08/27 12:43:17.863] Sending operation result 0:"":"" to connection 0xa284e160
    LDAP: [2013/08/27 12:43:18.921] DoUnbind on connection 0xa284e160
    LDAP: [2013/08/27 12:43:18.921] Preempting operation 0x0:0x0 on connection 0xa284e160 before processing because connection is closing
    LDAP: [2013/08/27 12:43:19.904] DoBind on connection 0xa284e160
    LDAP: [2013/08/27 12:43:19.905] Bind name:cn=iFolder_ServerAgent,O=xxx, version:3, authentication:simple
    LDAP: [2013/08/27 12:43:19.905] Sending operation result 0:"":"" to connection 0xa284e160
    LDAP: [2013/08/27 12:43:19.906] DoUnbind on connection 0xa284e160
    LDAP: [2013/08/27 12:43:19.906] DoBind on connection 0xa284e160
    LDAP: [2013/08/27 12:43:19.906] Bind name:cn=iFolder_ServerAgent,O=xxx, version:3, authentication:simple
    LDAP: [2013/08/27 12:43:19.907] Sending operation result 0:"":"" to connection 0xa284e160
    LDAP: [2013/08/27 12:43:19.907] DoBind on connection 0xa284e2c0
    LDAP: [2013/08/27 12:43:19.907] Bind name:cn=iFolder_ServerAgent,O=xxx, version:3, authentication:simple
    LDAP: [2013/08/27 12:43:19.908] Sending operation result 0:"":"" to connection 0xa284e2c0
    LDAP: [2013/08/27 12:43:19.908] DoBind on connection 0xa284e420
    LDAP: [2013/08/27 12:43:19.908] Bind name:cn=iFolder_ServerAgent,O=xxx, version:3, authentication:simple
    LDAP: [2013/08/27 12:43:19.909] Sending operation result 0:"":"" to connection 0xa284e420
    LDAP: [2013/08/27 12:43:19.909] DoBind on connection 0xa284e580
    LDAP: [2013/08/27 12:43:19.909] Bind name:cn=iFolder_ServerAgent,O=xxx, version:3, authentication:simple
    LDAP: [2013/08/27 12:43:19.910] Sending operation result 0:"":"" to connection 0xa284e580
    LDAP: [2013/08/27 12:43:19.910] DoBind on connection 0xa284e6e0
    LDAP: [2013/08/27 12:43:19.910] Bind name:cn=iFolder_ServerAgent,O=xxx, version:3, authentication:simple
    LDAP: [2013/08/27 12:43:19.910] Sending operation result 0:"":"" to connection 0xa284e6e0
    LDAP: [2013/08/27 12:43:19.911] DoBind on connection 0xa284e840
    LDAP: [2013/08/27 12:43:19.911] Bind name:cn=iFolder_ServerAgent,O=xxx, version:3, authentication:simple
    LDAP: [2013/08/27 12:43:19.911] Sending operation result 0:"":"" to connection 0xa284e840
    LDAP: [2013/08/27 12:43:19.912] DoBind on connection 0xa284e9a0
    LDAP: [2013/08/27 12:43:19.912] Bind name:cn=iFolder_ServerAgent,O=xxx, version:3, authentication:simple
    LDAP: [2013/08/27 12:43:19.912] Sending operation result 0:"":"" to connection 0xa284e9a0
    LDAP: [2013/08/27 12:43:19.913] DoBind on connection 0xa284eb00
    LDAP: [2013/08/27 12:43:19.913] Bind name:cn=iFolder_ServerAgent,O=xxx, version:3, authentication:simple
    LDAP: [2013/08/27 12:43:19.913] Sending operation result 0:"":"" to connection 0xa284eb00
    LDAP: [2013/08/27 12:43:19.923] TLS accept failure 1 on connection 0xa284ec60, setting err = -5875. Error stack: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42
    LDAP: [2013/08/27 12:43:19.923] TLS handshake failed on connection 0xa284ec60, err = -5875
    LDAP: [2013/08/27 12:43:19.923] BIO ctrl called with unknown cmd 7
    LDAP: [2013/08/27 12:43:19.925] TLS accept failure 1 on connection 0xa284ec60, setting err = -5875. Error stack: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42
    LDAP: [2013/08/27 12:43:19.925] TLS handshake failed on connection 0xa284ec60, err = -5875
    LDAP: [2013/08/27 12:43:19.925] BIO ctrl called with unknown cmd 7
    LDAP: [2013/08/27 12:43:19.926] TLS accept failure 1 on connection 0xa284ec60, setting err = -5875. Error stack: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42
    LDAP: [2013/08/27 12:43:19.926] TLS handshake failed on connection 0xa284ec60, err = -5875
    LDAP: [2013/08/27 12:43:19.926] BIO ctrl called with unknown cmd 7
    LDAP: [2013/08/27 12:43:19.927] TLS accept failure 1 on connection 0xa284ec60, setting err = -5875. Error stack: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42
    LDAP: [2013/08/27 12:43:19.927] TLS handshake failed on connection 0xa284ec60, err = -5875
    LDAP: [2013/08/27 12:43:19.927] BIO ctrl called with unknown cmd 7
    LDAP: [2013/08/27 12:43:19.929] TLS accept failure 1 on connection 0xa284ec60, setting err = -5875. Error stack: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42
    LDAP: [2013/08/27 12:43:19.929] TLS handshake failed on connection 0xa284ec60, err = -5875
    LDAP: [2013/08/27 12:43:19.929] BIO ctrl called with unknown cmd 7
    LDAP: [2013/08/27 12:43:19.930] TLS accept failure 1 on connection 0xa284ec60, setting err = -5875. Error stack: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42
    LDAP: [2013/08/27 12:43:19.930] TLS handshake failed on connection 0xa284ec60, err = -5875
    LDAP: [2013/08/27 12:43:19.930] BIO ctrl called with unknown cmd 7
    LDAP: [2013/08/27 12:43:19.932] TLS accept failure 1 on connection 0xa284ec60, setting err = -5875. Error stack: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42
    LDAP: [2013/08/27 12:43:19.932] TLS handshake failed on connection 0xa284ec60, err = -5875
    LDAP: [2013/08/27 12:43:19.932] BIO ctrl called with unknown cmd 7
    LDAP: [2013/08/27 12:43:19.933] TLS accept failure 1 on connection 0xa284ec60, setting err = -5875. Error stack: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42
    LDAP: [2013/08/27 12:43:19.933] TLS handshake failed on connection 0xa284ec60, err = -5875
    LDAP: [2013/08/27 12:43:19.933] BIO ctrl called with unknown cmd 7
    LDAP: [2013/08/27 12:43:19.934] TLS accept failure 1 on connection 0xa284ec60, setting err = -5875. Error stack: error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate - SSL alert number 42
    LDAP: [2013/08/27 12:43:19.934] TLS handshake failed on connection 0xa284ec60, err = -5875
    LDAP: [2013/08/27 12:43:19.934] BIO ctrl called with unknown cmd 7
    I'm now pretty sure that the cert is being invalidated because the new CA is not trusted by the old server. Strange that PKIDiag has no problems with it. So really looking for a way to authorise a CA for ldap secure I think.
    I can connect to the server over ldaps (port 636) using Softerra Ldap browser from my PC, again I get the certificate not valid as we have the internal CA authorising it, but you can accept the certificate and authenticate fine and use LDAP.
    BR,
    Mark.

  • Connection with Ldap failed when Upgrade to Colfusion 8

    Hi,
    I have a problem with cfldap tag used in CF8. I have a cfldap tag defined in my application which works fine on CFMX7. But the moment I installed CF8, it gives me an error - "Connection to LDAP server failed."
    My cfldap tag goes as below:-
    [CFLDAP NAME="qLDAP"
    START = "O=myCompany,C=valueOfC"
    SERVER="ldapServerName"
    FILTER="(alias=myLdapAlias)"
    SORT="SN,GIVENNAME,ALIAS"
    ATTRIBUTES= "ALIAS,SN,MODIFYTIMESTAMP"
    ACTION="QUERY"
    SCOPE="SUBTREE"
    TIMEOUT="60000"
    referral="yes"
    secure="CFSSL_BASIC"
    USERNAME="cn=valueOfcn, ou=contractor, o=myCompany, c=valueOfc"
    PASSWORD="myLdapPassword"
    PORT="636"]
                       [cfdump var="#qLdap#"]
    The wierd thing is when I remove secure,username,password & port attributes from the above CFLDAP tag, it works fine & gets me LDAP results. The moment i put these attributes back in the CFLDAP tag, it fails. I had installed ssl secure on my IIS too. what else am I missing ?
    My error is - "Connection to LDAP server failed."
    When I expanded the stack trace, I get the following :-
    coldfusion.tagext.net.LdapTag$UnknownHostException: Connection to LDAP server failed.
    Need your help...............

    What is your current build?
    If you are getting a yellow triangle, most likely either the update.zip or update.xml are corrupt. You should be able to delete both files and try updating again.
    I used to have a:
    K1_A301_14_14_120109_US

  • LDAPS Fail to connect

    Stumped, please help;
    Worked on Friday, Monday it doesn't work, no changes over the weekend that I can find.
    2008 domain, 2008R2 DC's
    The certificate is not expired
    The port is open
    LDAP works with no issues
    I have deleted the certificate, and had a new one issued from the domain CA, still doesn't work.
    The certificate path shows ok, but could it be something with the Microsoft CA? Or the
    Domain Controller Authentication Template?
    LDP.EXE returns this;
    0x0 = ldap_unbind(ld);
    ld = ldap_sslinit("SERVERNAME_FQDN_HERE", 636, 1);
    Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
    Error 81 = ldap_connect(hLdap, NULL);
    Server error: <empty>
    Error <0x51>: Fail to connect to SERVERNAME_FQDN_HERE.
    BlankMonkey
    UPDATE:
    I used this link (http://support.microsoft.com/kb/321051) to get a certificate request from an InCommon CA.  I had trouble adding it, but did get it into the proper place (I think).  No change,
    it did not help.

    Hi BlankMonkey,
    Could you offer us more information about your environment, the Error 81 and 0x51 typically caused by certificate issue, such as private key missing, please try to export
    the key then reimport.
    More information:
    How to enable LDAP over SSL with a third-party certification authority
    http://support.microsoft.com/kb/321051
    I’m glad to be of help to you!
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Cisco Jabber 9.2.1 connect LDAP fail

    Hi all,
    I am using CUCM 9.1 and CUP 9.1
    Here is my UC service settings
    Product type          : Enhanced Directory
    Port                    : 389
    Protocol          : TCP
    Connecction Type: Ldap
    Serivce profile has been created and assigned to the end-user
    If I use CUPC8.5 and 8.6, it can connect to LDAP successfully
    However, if using Cisco Jabber 9.2.1 (window), it cannot connect to AD
    in "Show Connection service", it shows
    Status : Unknown
    Reason : Unknown
    Is there any missing configuration for Jabber 9.2.1
    Thanks in advance
    Sam

    Have you configured the jabber-config.xml file?? That configuration you have is not for Jabber, if you haven't, review the configuration guide for details.
    Sent from Cisco Technical Support iPad App

  • SQL Developer (using TNS and LDAP) fails

    If I use a Basic Connection Type and specify the Host, Port and Service Name I can get connected.
    If I use a TNS Connection Type and click on the appropriate Network Alias I get:
    Status: Failure -lo exception: SO exception was generated.
    The SQLNET.ORA file has this entry:
    NAMES.DIRECTORY_PATH= (LDAP)
    SQL*Plus connections work fine.
    Has anyone seen this issue and resolved it ?
    Thanks,
    Bob Larsen

    Bob,
    TNS connection with Network Alias option should work.
    I assume you have a local tnsnames.ora file with the database entry.
    You can launch sqldeveloper from sqldeveloper\sqldeveloper\bin\sqldeveloper.exe
    or sqldeveloper\sqldeveloper\bin\sqldeveloper.bat.
    This will give a stack trace.
    Thanks,
    Sri

  • Passwd command not working on LDAP server

    hello all,
    At this time I am having a problem with the LDAP we are in the process of setting up for our Data Center servers.
    Users cannot change their LDAP password using the command line passwd command. Other than this the LDAP services seem to be running well for both Sun OS 10 and Sun OS 9 clients
    If a user attempts using the passwd command, they get the following response
    /home/jdoe$ passwd -r ldap
    passwd: Changing password for jdoe
    Enter existing login password:
    New Password:
    Re-enter new Password:
    Permission denied
    Also, from the root user you get the same response when attempting to change a users password from command line. At this time the only way to change passwords is from the GUI.
    We are currently using Sun Java (tm) System Directory Server 5.2.4 running in a zone on a SunOS 5.10 Generic_118833-33 Sparc server
    If you need further information please contact me
    [email protected]
    Any help is appreciated
    Mike

    From what you describe, I suspect there might be firewall
    getting in the way. Did you open port 1935 on your server firewall?
    By default, the flashplayer will connecting to FMS on port
    1935. If 1935 fails, the flashplayer will attempt to connect on
    port 80. It takes a while for the second attempt to happen, so that
    would explain the lag in the connecting being accepted.
    I'm not sure why firefox is crashing, but that wouldn't be
    caused by a server issue. Is there something in your actionscript
    that might cause the flashplayer to crash if the netconnection
    isn't accepted? Perhaps a conditional that results in an infinite
    loop?
    About the admin service... are you sure it's running and
    there's no firewall blocking port 1111? Try entering this into your
    browser:
    http://[server ip or hostname]:1111
    If the service responds with an XML file, it's running.

  • Pam.conf does not use ldap for password length check when changing passwd

    I have already posted this in the directory server forum but since it is to do with pam not using ldap I thought there might be some pam experts who check this forum.
    I have dsee 6.0 installed on a solaris 10 server (client).
    I have a solaris 9 server (server) set up to use ldap authentication.
    bash-2.05# cat /var/ldap/ldap_client_file
    # Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
    NS_LDAP_FILE_VERSION= 2.0
    NS_LDAP_SERVERS= X, Y
    NS_LDAP_SEARCH_BASEDN= dc=A,dc= B,dc= C
    NS_LDAP_AUTH= tls:simple
    NS_LDAP_SEARCH_REF= FALSE
    NS_LDAP_SEARCH_SCOPE= one
    NS_LDAP_SEARCH_TIME= 30
    NS_LDAP_SERVER_PREF= X.A.B.C, Y.A.B.C
    NS_LDAP_CACHETTL= 43200
    NS_LDAP_PROFILE= tls_profile
    NS_LDAP_CREDENTIAL_LEVEL= proxy
    NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=A,dc=B,dc=com?one
    NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=A,dc=B,dc=C?one
    NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=A,dc=B,dc=C?one
    NS_LDAP_BIND_TIME= 10
    bash-2.05# cat /var/ldap/ldap_client_cred
    # Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
    NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=A,dc=B,dc=C
    NS_LDAP_BINDPASSWD= {NS1}6ff7353e346f87a7
    bash-2.05# cat /etc/nsswitch.conf
    # /etc/nsswitch.ldap:
    # An example file that could be copied over to /etc/nsswitch.conf; it
    # uses LDAP in conjunction with files.
    # "hosts:" and "services:" in this file are used only if the
    # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
    # the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
    passwd: files ldap
    group: files ldap
    # consult /etc "files" only if ldap is down.
    hosts: files dns
    ipnodes: files
    # Uncomment the following line and comment out the above to resolve
    # both IPv4 and IPv6 addresses from the ipnodes databases. Note that
    # IPv4 addresses are searched in all of the ipnodes databases before
    # searching the hosts databases. Before turning this option on, consult
    # the Network Administration Guide for more details on using IPv6.
    #ipnodes: ldap [NOTFOUND=return] files
    networks: files
    protocols: files
    rpc: files
    ethers: files
    netmasks: files
    bootparams: files
    publickey: files
    netgroup: ldap
    automount: files ldap
    aliases: files ldap
    # for efficient getservbyname() avoid ldap
    services: files ldap
    sendmailvars: files
    printers: user files ldap
    auth_attr: files ldap
    prof_attr: files ldap
    project: files ldap
    bash-2.05# cat /etc/pam.conf
    #ident "@(#)pam.conf 1.20 02/01/23 SMI"
    # Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved.
    # Use is subject to license terms.
    # PAM configuration
    # Unless explicitly defined, all services use the modules
    # defined in the "other" section.
    # Modules are defined with relative pathnames, i.e., they are
    # relative to /usr/lib/security/$ISA. Absolute path names, as
    # present in this file in previous releases are still acceptable.
    # Authentication management
    # login service (explicit because of pam_dial_auth)
    login auth requisite pam_authtok_get.so.1 debug
    login auth required pam_dhkeys.so.1 debug
    login auth required pam_dial_auth.so.1 debug
    login auth binding pam_unix_auth.so.1 server_policy debug
    login auth required pam_ldap.so.1 use_first_pass debug
    # rlogin service (explicit because of pam_rhost_auth)
    rlogin auth sufficient pam_rhosts_auth.so.1
    rlogin auth requisite pam_authtok_get.so.1
    rlogin auth required pam_dhkeys.so.1
    rlogin auth binding pam_unix_auth.so.1 server_policy
    rlogin auth required pam_ldap.so.1 use_first_pass
    # rsh service (explicit because of pam_rhost_auth,
    # and pam_unix_auth for meaningful pam_setcred)
    rsh auth sufficient pam_rhosts_auth.so.1
    rsh auth required pam_unix_auth.so.1
    # PPP service (explicit because of pam_dial_auth)
    ppp auth requisite pam_authtok_get.so.1
    ppp auth required pam_dhkeys.so.1
    ppp auth required pam_dial_auth.so.1
    ppp auth binding pam_unix_auth.so.1 server_policy
    ppp auth required pam_ldap.so.1 use_first_pass
    # Default definitions for Authentication management
    # Used when service name is not explicitly mentioned for authenctication
    other auth requisite pam_authtok_get.so.1 debug
    other auth required pam_dhkeys.so.1 debug
    other auth binding pam_unix_auth.so.1 server_policy debug
    other auth required pam_ldap.so.1 use_first_pass debug
    # passwd command (explicit because of a different authentication module)
    passwd auth binding pam_passwd_auth.so.1 server_policy debug
    passwd auth required pam_ldap.so.1 use_first_pass debug
    # cron service (explicit because of non-usage of pam_roles.so.1)
    cron account required pam_projects.so.1
    cron account required pam_unix_account.so.1
    # Default definition for Account management
    # Used when service name is not explicitly mentioned for account management
    other account requisite pam_roles.so.1 debug
    other account required pam_projects.so.1 debug
    other account binding pam_unix_account.so.1 server_policy debug
    other account required pam_ldap.so.1 no_pass debug
    # Default definition for Session management
    # Used when service name is not explicitly mentioned for session management
    other session required pam_unix_session.so.1
    # Default definition for Password management
    # Used when service name is not explicitly mentioned for password management
    other password required pam_dhkeys.so.1 debug
    other password requisite pam_authtok_get.so.1 debug
    other password requisite pam_authtok_check.so.1 debug
    other password required pam_authtok_store.so.1 server_policy debug
    # Support for Kerberos V5 authentication (uncomment to use Kerberos)
    #rlogin auth optional pam_krb5.so.1 try_first_pass
    #login auth optional pam_krb5.so.1 try_first_pass
    #other auth optional pam_krb5.so.1 try_first_pass
    #cron account optional pam_krb5.so.1
    #other account optional pam_krb5.so.1
    #other session optional pam_krb5.so.1
    #other password optional pam_krb5.so.1 try_first_pass
    I can ssh into client with user VV which does not exist locally but exists in the directory server. This is from /var/adm/messages on the ldap client):
    May 17 15:25:07 client sshd[26956]: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0
    May 17 15:25:11 client sshd[26956]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
    May 17 15:25:11 client sshd[26956]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd VV), flags = 0
    May 17 15:25:11 client sshd[26956]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = sshd user = VV ruser = not set rhost = h.A.B.C
    May 17 15:25:11 client sshd[26956]: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt()
    May 17 15:25:11 client sshd[26956]: [ID 724664 auth.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
    May 17 15:25:11 client sshd[26956]: [ID 100510 auth.debug] ldap pam_sm_acct_mgmt(VV), flags = 0
    May 17 15:25:11 client sshd[26953]: [ID 800047 auth.info] Accepted keyboard-interactive/pam for VV from 10.115.1.251 port 2703 ssh2
    May 17 15:25:11 client sshd[26953]: [ID 914923 auth.debug] pam_dhkeys: no valid mechs found. Trying AUTH_DES.
    May 17 15:25:11 client sshd[26953]: [ID 499478 auth.debug] pam_dhkeys: get_and_set_seckey: could not get secret key for keytype 192-0
    May 17 15:25:11 client sshd[26953]: [ID 507889 auth.debug] pam_dhkeys: mech key totals:
    May 17 15:25:11 client sshd[26953]: [ID 991756 auth.debug] pam_dhkeys: 0 valid mechanism(s)
    May 17 15:25:11 client sshd[26953]: [ID 898160 auth.debug] pam_dhkeys: 0 secret key(s) retrieved
    May 17 15:25:11 client sshd[26953]: [ID 403608 auth.debug] pam_dhkeys: 0 passwd decrypt successes
    May 17 15:25:11 client sshd[26953]: [ID 327308 auth.debug] pam_dhkeys: 0 secret key(s) set
    May 17 15:25:11 client sshd[26958]: [ID 965073 auth.debug] pam_dhkeys: cred reinit/refresh ignored
    If I try to then change the password with the `passwd` command it does not use the password policy on the directory server but the default defined in /etc/default/passwd
    bash-2.05$ passwd
    passwd: Changing password for VV
    Enter existing login password:
    New Password:
    passwd: Password too short - must be at least 8 characters.
    Please try again
    May 17 15:26:17 client passwd[27014]: [ID 285619 user.debug] ldap pam_sm_authenticate(passwd VV), flags = 0
    May 17 15:26:17 client passwd[27014]: [ID 509786 user.debug] roles pam_sm_authenticate, service = passwd user = VV ruser = not set rhost = not set
    May 17 15:26:17 client passwd[27014]: [ID 579461 user.debug] pam_unix_account: entering pam_sm_acct_mgmt()
    May 17 15:26:17 client passwd[27014]: [ID 724664 user.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
    May 17 15:26:17 client passwd[27014]: [ID 100510 user.debug] ldap pam_sm_acct_mgmt(VV), flags = 80000000
    May 17 15:26:17 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
    May 17 15:26:17 client passwd[27014]: [ID 988707 user.debug] read_authtok: Copied AUTHTOK to OLDAUTHTOK
    May 17 15:26:20 client passwd[27014]: [ID 558286 user.debug] pam_authtok_check: pam_sm_chauthok called
    May 17 15:26:20 client passwd[27014]: [ID 271931 user.debug] pam_authtok_check: minimum length from /etc/default/passwd: 8
    May 17 15:26:20 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
    May 17 15:26:20 client passwd[27014]: [ID 417489 user.debug] pam_dhkeys: OLDRPCPASS already set
    I am using the default policy on the directory server which states a minimum password length of 6 characters.
    server:root:LDAP_Master:/var/opt/SUNWdsee/dscc6/dcc/ads/ldif#dsconf get-server-prop -h server -p 389|grep ^pwd-
    pwd-accept-hashed-pwd-enabled : N/A
    pwd-check-enabled : off
    pwd-compat-mode : DS6-mode
    pwd-expire-no-warning-enabled : on
    pwd-expire-warning-delay : 1d
    pwd-failure-count-interval : 10m
    pwd-grace-login-limit : disabled
    pwd-keep-last-auth-time-enabled : off
    pwd-lockout-duration : disabled
    pwd-lockout-enabled : off
    pwd-lockout-repl-priority-enabled : on
    pwd-max-age : disabled
    pwd-max-failure-count : 3
    pwd-max-history-count : disabled
    pwd-min-age : disabled
    pwd-min-length : 6
    pwd-mod-gen-length : 6
    pwd-must-change-enabled : off
    pwd-root-dn-bypass-enabled : off
    pwd-safe-modify-enabled : off
    pwd-storage-scheme : CRYPT
    pwd-strong-check-dictionary-path : /opt/SUNWdsee/ds6/plugins/words-english-big.txt
    pwd-strong-check-enabled : off
    pwd-strong-check-require-charset : lower
    pwd-strong-check-require-charset : upper
    pwd-strong-check-require-charset : digit
    pwd-strong-check-require-charset : special
    pwd-supported-storage-scheme : CRYPT
    pwd-supported-storage-scheme : SHA
    pwd-supported-storage-scheme : SSHA
    pwd-supported-storage-scheme : NS-MTA-MD5
    pwd-supported-storage-scheme : CLEAR
    pwd-user-change-enabled : off
    Whereas /etc/default/passwd on the ldap client says passwords must be 8 characters. This is seen with the pam_authtok_check: minimum length from /etc/default/passwd: 8
    . It is clearly not using the policy from the directory server but checking locally. So I can login ok using the ldap server for authentication but when I try to change the password it does not use the policy from the server which says I only need a minimum lenght of 6 characters.
    I have read that pam_ldap is only supported for directory server 5.2. Because I am running ds6 and with password compatability in ds6 mode maybe this is my problem. Does anyone know of any updated pam_ldap modules for solaris 9?
    Edited by: ericduggan on Sep 8, 2008 5:30 AM

    you can try passwd -r ldap for changing the ldap passwds...

  • Thread: Passwd not able to updated Centerlize LDAP Server

    I have openldap running on solaris 10 x86 server with all system users are migrated on LDAP TREE.!.
    I configure client on other solaris 10 x86 server. - ldapclient manual -a defaultsearch=dc=xxxx,dc== ........ like that ( i have tired with setup a proxy agent but it does not work.... )
    I can login( SSH and dtlogin) to other solaris 10 server using LDAP user . but while i am try to change password i m getting this problem do i missing anything . I am suspecting about pam.conf configuration.
    I tried couple of combinations but not able to get rid of this. Same configuration is working Linux ( as standard changes in system-auth config file...)
    ==Solaris console===
    bash-3.00$ passwd
    passwd: Changing password for vipul3
    Enter existing login password:
    New Password:
    Re-enter new Password:
    passwd: vipul3 does not exist.
    Permission denied
    bash-3.00$
    ========================
    Var/adm/message
    Apr 30 02:27:30 xxxx passwd[6954]: [ID 574280 user.error] passwdutil: no legal LDAP authentication method configured
    Apr 30 02:27:30 xxxx passwd[6954]: [ID 574280 user.error] passwdutil: no legal LDAP authentication method configured
    =============================
    Regards
    Vipul Ramani

    Hi alan,
    i can login in to solaris box using ldap user but passwd -r ldap does not working... it is giving me ERROR passwd: System error: no ldap password for vipul3.*
    strange !! thing is then how user authenticated from LDAP. ???
    ==========Solaris console output -=================
    login as: vipul3
    Using keyboard-interactive authentication.
    Password:
    Last login: Tue May 6 05:42:22 2008 from 192.168.109.232
    Sun Microsystems Inc. SunOS 5.10 Generic January 2005
    $ bash
    bash-3.00$ passwd -r ldap
    passwd: Changing password for vipul3
    Enter existing login password:
    New Password:
    Re-enter new Password:
    **passwd: System error: no ldap password for vipul3.**
    Permission denied
    bash-3.00$
    ==sylog===================================
    May 6 05:43:15 XXXX passwd[1189]: [ID 574280 user.error] passwdutil: no legal LDAP authentication method configured
    May 6 05:43:15 XXXX passwd[1189]: [ID 574280 user.error] passwdutil: no legal LDAP authentication method configured
    ============================

  • Problems with LDAP Server fail-over

    Our Xsan installed with 12 FCP, 2 MDC Xserve and 2 LDAP Xserver for fail-over.
    The 2 MDC fail-over runs well but the 2 LDAP fail-over got problems.
    The first time we up-plug the powercode of 1 xserve and the other LDAP takes over successfully but FCP users re-login takes 15 minutes. That's unacceptable.
    The fail-over never succeed after that.
    That means once the LDAP down and the backup LDAP will not take the job, we will lose everything related to user login.
    Anybody can help? Thanks a lot.

    I believe you can enter both LDAP servers in the client configuration for LDAP access. (Even though you shouldn't have to)
    IP failover is not the issue, your LDAP configuration is.
    Start at page 90 and work throught this document to make sure you have the clients setup properly.
    http://manuals.info.apple.com/en/MacOSXSrvr10.3_OpenDirectoryAdmin.pdf

Maybe you are looking for

  • I can not access my itunes library on Apple TV. How do I turn on home sharing?

    I Can not access my itunes library on Apple TV. How do I turn on home sharing?

  • SAP Component in Service Desk

    Hi, How can we customize the SAP Components in the Service Desk?[SAP Components which you select during the message creation]. Regards, Cherry

  • How to open Photo Stream in Windows

    I took a bunch of pictures and video on my iPhone 3Gs (5.0) and don't know how to open Photo Stream on my PC (Win 7). I can see a folder in my pictures library, but I can open the ithmb files. Thank You.

  • Mountain Lion downloads but error on install

    I have downloaded Mtn Lion successfully but get this error when trying to install 'this copy of the install can't be verified. It may have been corrupted or tampered with during download. delete this copy and download a new one' I have done that and

  • How Do I Initialize an Array of Array Objects?

    I have an NSMutableArray object that stores NSMutableArray objects. For example - (void)loadMainArray NSMutableArray *tempAry = [[NSMutableArray alloc] init]; //mainArray defined in header self.mainArray = tempAry; self.mainArray = [self loadSubArray