[Fedora-directory-users] userPassword is base64 encoded
jclowser at unitedmessaging.com
jclowser at unitedmessaging.com
Wed Jun 8 22:38:03 UTC 2005
Hmm - error 89 is parameter error. Something you/samba passed was
invalid in some way (i.e. for some reason it seems to be passing null
for the current password)
What does it show in the directory server access and error logs? Show
us the entire connection, as well as anything in the error log around
that time.
- Jeff
Sævaldur Gunnarsson wrote:
> Thank you all for replying.
>
> I think I have narrowed this problem down to the fact that FDS wants
> the user's old password when changing it.
> No matter if you are authenticated as the user or as the Directory
> Manager.
>
> kung.foo.is ~# ldappasswd -ZZ -D "cn=Directory Manager"
> uid=gg,ou=People,dc=kung,dc=foo -S -x -W
> New password:
> Re-enter new password:
> Enter LDAP Password:
> Result: Unknown error (89)
> Additional info: Current passwd must be supplied by the user.
>
> This is the same errorcode (err=89) as I see in the access log when I
> try to change the password from Windows
> [08/Jun/2005:10:07:11 +0000] conn=1043 op=14 RESULT err=89 tag=120
> nentries=0 etime=0
>
> So looks like the problem has been located
> Next, how to fix it ? ;)
>
>
> David Boreham wrote:
>
>>
>>>
>>> Samba binds to the DS as the admin server and then just attempts to
>>> overwrite the userPassword attribute (I assume you have ldap sync
>>> turned on). It seems DS doesn't like it: it requires the current
>>> password first. Perhaps there is some configuration change that can
>>> help.
>>>
>>>
>>>
>> I think this could be an access control issue. The default ACIs supplied
>> with the server only allow root (Directory Manager) and 'self' write
>> access
>> to the userPassword attribute. If you changed the access control rules
>> to allow the user that samba binds as write access, that might help.
>>
>> The access log is your friend : look in there
>> (.../slapd-<hostname>/logs/access)
>> to find the operations samba attempted. The ldap result code for the
>> modify
>> operation will be in there. You will be able to see if the operation
>> failed
>> due to access control restrictions (error code 50) or for some other
>> reason.
>>
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
More information about the Fedora-directory-users
mailing list