1 Reply Latest reply: Sep 26, 2013 9:24 AM by nychawk RSS

    Users Unable to Authenticate

    nychawk

      Hello:

       

      I am having some issues with some, not all, of my users being able to authenticate into newly migrated LDAP clients.

      All of my accounts were created from their former NIS form using ldapaddent, one had its passwd changed via the DSCC; that one works.

       

      Another one worked, until I've recently re-entered its shadow entry, again using ldapaddent (I was trying to keep two distinct environments in sync).  Now this account is unable to authenticate at all.

       

      Some background:

       

      1.  I do not recall if I created an SSD for shadow when I ran idsconfig.

      2.  What is the preferred method for:

           a.  Checking that I do have an SSD for passwd, and shadow?

           b.  Adding one, assuming I need to?

       

      3.  When I run "dsconf get-server-prop", grep'ing with ^pwd, I get:

       

      I am getting close to a full migration from NIS to LDAP, and need to have everything in order prior.  Unfortunately, I cannot test auth for other users...

       

      Thank you.

       

      pwd-accept-hashed-pwd-enabled      :  N/A

      pwd-check-enabled                  :  off

      pwd-compat-mode                    :  DS5-compatible-mode

      pwd-expire-no-warning-enabled      :  on

      pwd-expire-warning-delay           :  1s

      pwd-failure-count-interval         :  10m

      pwd-grace-login-limit              :  disabled

      pwd-keep-last-auth-time-enabled    :  off

      pwd-lockout-duration               :  disabled

      pwd-lockout-enabled                :  off

      pwd-lockout-repl-priority-enabled  :  on

      pwd-max-age                        :  disabled

      pwd-max-failure-count              :  3

      pwd-max-history-count              :  disabled

      pwd-min-age                        :  disabled

      pwd-min-length                     :  6

      pwd-mod-gen-length                 :  6

      pwd-must-change-enabled            :  off

      pwd-root-dn-bypass-enabled         :  off

      pwd-safe-modify-enabled            :  off

      pwd-storage-scheme                 :  CRYPT

      pwd-strong-check-dictionary-path   :  /local/DB/plugins/words-english-big.txt

      pwd-strong-check-enabled           :  off

      pwd-strong-check-require-charset   :  lower

      pwd-strong-check-require-charset   :  upper

      pwd-strong-check-require-charset   :  digit

      pwd-strong-check-require-charset   :  special

      pwd-supported-storage-scheme       :  CRYPT

      pwd-supported-storage-scheme       :  SHA384

      pwd-supported-storage-scheme       :  SHA256

      pwd-supported-storage-scheme       :  SHA512

      pwd-supported-storage-scheme       :  SHA

      pwd-supported-storage-scheme       :  SSHA

      pwd-supported-storage-scheme       :  SSHA384

      pwd-supported-storage-scheme       :  SSHA256

      pwd-supported-storage-scheme       :  SSHA512

      pwd-supported-storage-scheme       :  CLEAR

      pwd-user-change-enabled            :  on

        • 1. Re: Users Unable to Authenticate
          nychawk

          I am posting this follow-up hoping it can help someone in the future.

           

          Well, my problem was that several of my users had admin accounts which were using the same UID as their non-admin accounts!

          When I was troubleshooting I saw errors in my logs for userxADMIN instead of userX, which drove me to look at their UIDs. 

           

          When I imported my NIS passwd map into LDAP using ldapaddent, the ADMIN accounts were at the bottom (same for their shadow equivalents), which treated the later entry as a password update.

           

          What as wasted day!!!