[Systems] Reset Expired LDAP Password
Bernie Innocenti
bernie at codewiz.org
Tue Nov 26 10:57:41 EST 2019
For the record, my shell account on sunjammer expired today. I went to
the web form (https://ldap.sugarlabs.org/passwd) and I was able to
change my password normally.
If it's not working for other users, they might be doing something
differently, or their accounts are not setup the same way as mine.
On 29/09/2018 01.01, Bernie Innocenti wrote:
> Sorry for jumping into after the end of the show...
>
> Yes, ldap has always been hellish to configure and admin. We used it early on, when we wanted to share accounts across our servers. But now sunjammer is the only server left with ldap, and we could get rid of it if someone writes a script to migrate the users.
>
>
> On September 28, 2018 12:42:01 AM UTC, James Cameron <quozl at laptop.org> wrote:
>> Ibiam has shell access to sunjammer again following my change to
>> password and expiry period.
>>
>> Ibiam, please;
>>
>> - try using sunjammer shell ldappasswd to change your password,
>>
>> - try using ldap.sugarlabs.org to change your password,
>>
>> Let us know the results.
>>
>> On Thu, Sep 27, 2018 at 03:19:56PM +0100, Chihurumnaya Ibiam wrote:
>>> Hi James,
>>>
>>> I get this error "Wrong username or password."
>>>
>>> --
>>>
>>> Ibiam Chihurumnaya
>>> [1]ibiamchihurumnaya at gmail.com
>>>
>>> On Thu, Sep 27, 2018 at 6:39 AM James Cameron <[2]quozl at laptop.org>
>> wrote:
>>>
>>> Bernie, can I change the RootDN password?
>>>
>>> Ibiam, what does [3]ldap.sugarlabs.org show you when you try to
>> change
>>> your password?
>>>
>>> --
>>>
>>> Ibiam sent me his password, and it didn't work for me;
>>>
>>> sunjammer:~# ldappasswd -H ldap://[4]127.0.0.1 -x -D "uid=
>>> ibiamchihurumnaya,ou=People,dc=sugarlabs,dc=org" -W -A -S
>>> Old password:
>>> Re-enter old password:
>>> New password:
>>> Re-enter new password:
>>> Enter LDAP Password:
>>> ldap_bind: Invalid credentials (49)
>>> 49!sunjammer:~#
>>>
>>> On [5]https://ldap.sugarlabs.org/passwd the response was "Wrong
>> username
>>> or password.", which means @ldap_bind failed twice.
>>>
>>> On Wed, Sep 26, 2018 at 11:32:53AM +1000, James Cameron wrote:
>>> > Ibiam and I talked about this problem after the meeting today.
>>> >
>>> > Our plan is for Ibiam to send me the password using GnuPG, and
>> I'll
>>> > try ldappasswd after su.
>>> >
>>> > Logs from sunjammer from this event;
>>> > [6]http://dev.laptop.org/~quozl/z/1g4wNM.txt
>>> >
>>> > On Tue, Sep 25, 2018 at 02:44:26PM +0100, Chihurumnaya Ibiam
>> wrote:
>>> > > James no error from "ssh -v", it only shows connection was
>> established
>>> > > and a warning that my password is expired and i should change
>> it but
>>> > > typing my password only throws an incorrect password error.
>>> > >
>>> > > --
>>> > >
>>> > > Ibiam Chihurumnaya
>>> > > [1][7]ibiamchihurumnaya at gmail.com
>>> > >
>>> > > On Tue, Sep 25, 2018 at 11:04 AM James Cameron
>> <[2][8]quozl at laptop.org>
>>> wrote:
>>> > >
>>> > > Changing my password using [3][9]ldap.sugarlabs.org
>> failed with;
>>> "Can't
>>> > > modify LDAP information."
>>> > >
>>> > > Changing my password using ldappasswd from sunjammer
>> shell prompt
>>> > > seemed to work;
>>> > >
>>> > > quozl at sunjammer:~$ ldappasswd -H ldap://[4]127.0.0.1 -x
>> -D "uid=
>>> quozl,ou=
>>> > > People,dc=sugarlabs,dc=org" -W -A -S
>>> > > Old password: <oldpassword>
>>> > > Re-enter old password: <oldpassword>
>>> > > New password: <newpassword>
>>> > > Re-enter new password: <newpassword>
>>> > > Enter LDAP Password: <oldpassword>
>>> > > quozl at sunjammer:~$
>>> > >
>>> > > However shadowLastChange for me hasn't moved, so I'm not
>> sure if it
>>> > > really worked. Password authentication isn't enabled for
>> SSH
>>> anyway.
>>> > >
>>> > > Checking Ibiam's entry using ldapsearch;
>>> > >
>>> > > $ ldapsearch -x -LLL uid=ibiamchihurumnaya
>>> > > dn: uid=ibiamchihurumnaya,ou=People,dc=sugarlabs,dc=org
>>> > > uid: ibiamchihurumnaya
>>> > > cn: Chihurumnaya Ibiam
>>> > > sn: Ibiam
>>> > > objectClass: person
>>> > > objectClass: organizationalPerson
>>> > > objectClass: inetOrgPerson
>>> > > objectClass: posixAccount
>>> > > objectClass: top
>>> > > objectClass: shadowAccount
>>> > > shadowMax: 365
>>> > > shadowWarning: 14
>>> > > uidNumber: 837
>>> > > gidNumber: 837
>>> > > homeDirectory: /home/ibiamchihurumnaya
>>> > > gecos: Chihurumnaya Ibiam
>>> > > displayName: Chihurumnaya Ibiam
>>> > > givenName: Chihurumnaya
>>> > > loginShell: /bin/bash
>>> > > mail: [5][10]ibiamchihurumnaya at gmail.com
>>> > > shadowLastChange: 17407 (29th August 2017)
>>> > >
>>> > > Current date is beyond shadowLastChange plus shadowMax
>> plus
>>> > > shadowWarning, so the account is probably inactive and
>> disabled.
>>> > >
>>> > > Ibiam, is there some indication you have received to
>> confirm that,
>>> > > e.g. an "ssh -v" error?
>>> > >
>>> > > I've tried changing Ibiam's password as root, but it
>> prompts me for
>>> > > Ibiam's old password, which I don't know.
>>> > >
>>> > > sunjammer:~# ldappasswd -H ldap://[6]127.0.0.1 -x -D
>> "uid=
>>> > > ibiamchihurumnaya,ou=People,dc=sugarlabs,dc=org" -W -A -S
>>> > > Old password:
>>> > >
>>> > > I've found a procedure for changing the RootDN password
>> for
>>> OpenLDAP,
>>> > > but if I did that I'd need a secure way to communicate it
>> to other
>>> > > system administrators. It also looks hacky and prone to
>> error, so
>>> I'm
>>> > > not sure the procedure is correct.
>>> > >
>>> > > [7][11]https://www.digitalocean.com/community/tutorials/
>>> > > how-to-change-account-passwords-on-an-openldap-server
>>> > >
>>> > > On Fri, Sep 21, 2018 at 02:35:07PM +0100, Chihurumnaya
>> Ibiam wrote:
>>> > > > Hi all,
>>> > > >
>>> > > > I recently complained about my sunjammer account as I
>> haven't
>>> been able
>>> > > to
>>> > > > login because my password is expired and using
>> [1][8][12]
>>> ldap.sugarlabs.org I
>>> > > couldn't
>>> > > > reset my password, and I've not been able to send
>> emails from my
>>> @[2]
>>> > > > [9][13]sugarlabs.org address and my emails to the lists
>> I'm
>>> subscribed to at
>>> > > [3]
>>> > > > [10][14]lists.sugarlabs.org gets bounced.
>>> > > >
>>> > > > Bernie asked for my gpg key and I gave it to him and I
>> haven't
>>> had a
>>> > > reply
>>> > > > since then, I've attached my gpg key here too. Thanks.
>>> > > >
>>> > > > --
>>> > > >
>>> > > > Ibiam Chihurumnaya
>>> > > > [4][11][15]ibiamchihurumnaya at gmail.com
>>> > > >
>>> > > > References:
>>> > > >
>>> > > > [1] [12][16]http://ldap.sugarlabs.org/
>>> > > > [2] [13][17]http://sugarlabs.org/
>>> > > > [3] [14][18]http://lists.sugarlabs.org/
>>> > > > [4] mailto:[15][19]ibiamchihurumnaya at gmail.com
>>> > >
>>> > > > -----BEGIN PGP PUBLIC KEY BLOCK-----
>>> > > >
>>> > > >
>> mQENBFuSob0BCADJhL3D92fOo3dzZVL9ehjRTqkKjCsq5HF7h27tQ9TPZ0SKoNlA
>>> > > >
>> B5arj7Fpf5rWpXfCqvnqcddEtxyJgDNVw0mkqkrE8b5GEEVibAKE3P9JrdMIsXP+
>>> > > >
>> v0VcmAKmfAKl1azXEw4vTpMCc/wTpYyw5CtNRxXY9oPUnU8M+MpgjyJlDD35PRqM
>>> > > >
>> w/K4P5/VRKAy0NVBvVq9JW3B5+Qb32cWvXBvMYKquAdFAfWfSqtXm2xzpSgWtxDa
>>> > > >
>> 2E8EkNCH4b2ldHs0AQmFxxhIVw+/JOxv5rgmHgbMu4gT0gwirohSeoT4bGYJS0Xd
>>> > > >
>> Z5esS2ziXVS+3exgZUXnfag6jSf9gv7qk3QvABEBAAG0MEliaWFtIENoaWh1cnVt
>>> > > >
>> bmF5YSA8aWJpYW1jaGlodXJ1bW5heWFAZ21haWwuY29tPokBVAQTAQgAPhYhBD/x
>>> > > >
>> zRDG2poX3z2LMD9hLWt6sZnJBQJbkqG9AhsDBQkDwmcABQsJCAcCBhUKCQgLAgQW
>>> > > >
>> AgMBAh4BAheAAAoJED9hLWt6sZnJEI4H/iZX0QRyCE/FSK453dkEh6a9ZFp/f6YS
>>> > > >
>> iQkvXRzRg+zN7GUZ96GihPCxAhQTcowpV1+ggEn2Th+ciQmYuuZkt5aObnFmnwRU
>>> > > >
>> Nzz3W9REYyz/1CNFbqeDBTXuD+yXYx0M3QDkwdjvir5Yf7CfbOVGQL7/v7DjlgVP
>>> > > >
>> MPLqtOqJGHvsW3sMC+i9SAhhk0Rx9ZqCOJceQzy7hvZcBL7V28oIBcmsyayW5A5D
>>> > > >
>> KfeUqS4CIdiHg5J2YjCqywoxGFvvRu4QXdvd1OyUcjz7Y+a3HpQwbm6tGlDWNk4q
>>> > > >
>> wJ4Iat0UEZRRSkEJZC9aNUGruEysLrBZMx047oWRJZP54m/8ZtJhkyK5AQ0EW5Kh
>>> > > >
>> vQEIAM1Q43bDn6BzUqolL3JB4EmSbdx/7vwz5HVTJOeiKOQJZhDl1xY8FLIKJKF+
>>> > > >
>> rO0DMluV0ebJCJ3zT/ls96mkImlP9TwLpREJoawfKgIPeZxMYkzxZ/609bxUGXRn
>>> > > >
>> V38AxqccJqErqkyRhisiXxZx/9xeG8ID2F9S5bzhsb7iMTto94sJh/Gva//3qs6o
>>> > > >
>> 34VNYWf/aHlIR5cutgMBorEW9OCZdLSVy6GZeeNRx5PmVkxjrEYCgvqZZO5XpzOX
>>> > > >
>> 4qY5ZKSAIKvZKXpL0wVeFdg4L+HgyKyMbcyDqBSbQBbqolFphNHmBTsbDQHBdq5+
>>> > > >
>> Df8Y8ziEdt5ztUmxcDxYFjhfoFEAEQEAAYkBPAQYAQgAJhYhBD/xzRDG2poX3z2L
>>> > > >
>> MD9hLWt6sZnJBQJbkqG9AhsMBQkDwmcAAAoJED9hLWt6sZnJXtQIALA1jSIFDJP5
>>> > > >
>> 2eEv3LNMhXfT5DCTUbkYE/qFk+zQD3ZVF+uJWTRZDabYiMLRXwX9TFNVm4XWcqRB
>>> > > >
>> 71n5Sgsi2Osa10bCrEHYtdOW1rwBKVJtaxsGigDF/rIvah5N01h1/rfsg7eI+z6o
>>> > > >
>> pjD9mcMlDyonL7h+tYvUcr8ACxa0uzZZi3TaE1D/nuJ/XIJQFGX1bpoWYqp/41HX
>>> > > >
>> itHOirq9ZRLRpqRVeM13Pa3N7S9KQQr2K6XhLsfMSJXdO/QvLMQgqtSlqxnQ5k3k
>>> > > >
>> StUUjXVuF5EtZe+MSIrqAJRSgVeok6M8HdHkwDSGocTfR6VumJI+ys6dPREhQGiP
>>> > > > JSeiVJ+oqNs=
>>> > > > =lcIl
>>> > > > -----END PGP PUBLIC KEY BLOCK-----
>>> > >
>>> > > --
>>> > > James Cameron
>>> > > [16][20]http://quozl.netrek.org/
>>> > >
>>> > > References:
>>> > >
>>> > > [1] mailto:[21]ibiamchihurumnaya at gmail.com
>>> > > [2] mailto:[22]quozl at laptop.org
>>> > > [3] [23]http://ldap.sugarlabs.org/
>>> > > [4] [24]http://127.0.0.1/
>>> > > [5] mailto:[25]ibiamchihurumnaya at gmail.com
>>> > > [6] [26]http://127.0.0.1/
>>> > > [7] [27]https://www.digitalocean.com/community/tutorials/
>>> how-to-change-account-passwords-on-an-openldap-server
>>> > > [8] [28]http://ldap.sugarlabs.org/
>>> > > [9] [29]http://sugarlabs.org/
>>> > > [10] [30]http://lists.sugarlabs.org/
>>> > > [11] mailto:[31]ibiamchihurumnaya at gmail.com
>>> > > [12] [32]http://ldap.sugarlabs.org/
>>> > > [13] [33]http://sugarlabs.org/
>>> > > [14] [34]http://lists.sugarlabs.org/
>>> > > [15] mailto:[35]ibiamchihurumnaya at gmail.com
>>> > > [16] [36]http://quozl.netrek.org/
>>> >
>>> > > _______________________________________________
>>> > > Systems mailing list
>>> > > [37]Systems at lists.sugarlabs.org
>>> > > [38]http://lists.sugarlabs.org/listinfo/systems
>>> >
>>> >
>>> > --
>>> > James Cameron
>>> > [39]http://quozl.netrek.org/
>>>
>>> --
>>> James Cameron
>>> [40]http://quozl.netrek.org/
>>>
>>> References:
>>>
>>> [1] mailto:ibiamchihurumnaya at gmail.com
>>> [2] mailto:quozl at laptop.org
>>> [3] http://ldap.sugarlabs.org/
>>> [4] http://127.0.0.1/
>>> [5] https://ldap.sugarlabs.org/passwd
>>> [6] http://dev.laptop.org/~quozl/z/1g4wNM.txt
>>> [7] mailto:ibiamchihurumnaya at gmail.com
>>> [8] mailto:quozl at laptop.org
>>> [9] http://ldap.sugarlabs.org/
>>> [10] mailto:ibiamchihurumnaya at gmail.com
>>> [11] https://www.digitalocean.com/community/tutorials/
>>> [12] http://ldap.sugarlabs.org/
>>> [13] http://sugarlabs.org/
>>> [14] http://lists.sugarlabs.org/
>>> [15] mailto:ibiamchihurumnaya at gmail.com
>>> [16] http://ldap.sugarlabs.org/
>>> [17] http://sugarlabs.org/
>>> [18] http://lists.sugarlabs.org/
>>> [19] mailto:ibiamchihurumnaya at gmail.com
>>> [20] http://quozl.netrek.org/
>>> [21] mailto:ibiamchihurumnaya at gmail.com
>>> [22] mailto:quozl at laptop.org
>>> [23] http://ldap.sugarlabs.org/
>>> [24] http://127.0.0.1/
>>> [25] mailto:ibiamchihurumnaya at gmail.com
>>> [26] http://127.0.0.1/
>>> [27]
>> https://www.digitalocean.com/community/tutorials/how-to-change-account-passwords-on-an-openldap-server
>>> [28] http://ldap.sugarlabs.org/
>>> [29] http://sugarlabs.org/
>>> [30] http://lists.sugarlabs.org/
>>> [31] mailto:ibiamchihurumnaya at gmail.com
>>> [32] http://ldap.sugarlabs.org/
>>> [33] http://sugarlabs.org/
>>> [34] http://lists.sugarlabs.org/
>>> [35] mailto:ibiamchihurumnaya at gmail.com
>>> [36] http://quozl.netrek.org/
>>> [37] mailto:Systems at lists.sugarlabs.org
>>> [38] http://lists.sugarlabs.org/listinfo/systems
>>> [39] http://quozl.netrek.org/
>>> [40] http://quozl.netrek.org/
>>
>> --
>> James Cameron
>> http://quozl.netrek.org/
>> _______________________________________________
>> Systems mailing list
>> Systems at lists.sugarlabs.org
>> http://lists.sugarlabs.org/listinfo/systems
>
--
_ // Bernie Innocenti
\X/ https://codewiz.org/
More information about the Systems
mailing list