[sudo-workers] ldap and password

Markus Rennings news at rennings.net
Thu Aug 19 20:11:02 EDT 2004 

Repost

Hi,

I've installed sudo-1.6.8rc6 because I want to try the ldap-sudoers. As far 
there is an "!authenticate"-entry everything works fine. But without that 
there's a problem with the password. I type the right pw but I always get an 
error:
| sudo: contact your system administrator, Account or password is expired
| Sorry, try again.
But as I said before the password is the right one - I can login with it (per 
ldap so this works too). I don't know what to try now. I have also changed 
the algorithms for the password on a test-account but no matter what I 
selected nothing worked. 
Anybody?
Which information do you need?

System: Gentoo Linux
OpenLDAP-2.1.30-r1

| mr $ sudo vi
| LDAP Config Summary
| ===================
| host         192.168.1.3
| port         389
| ldap_version 3
| uri          ldaps://server.rennings.homexxxxx.net/
| sudoers_base ou=SUDOers,dc=rennings.homexxxxx,dc=net
| binddn       (anonymous)
| bindpw       (anonymous)
# I've also tried with non-anonymous binds. Doesn't work
| ssl                     on
| ===================
| ldap_initialize(ld,ldaps://server.rennings.homelinux.net/)
| ldap_bind() ok
| found:cn=defaults,ou=SUDOers,dc=rennings.homexxxxx,dc=net
| ldap search '(|(sudoUser=mr)(sudoUser=%users)(sudoUser=%wheel)
| (sudoUser=%wheel)(sudoUser=%uucp)(sudoUser=%cron)(sudoUser=%cron)
| (sudoUser=%audio)(sudoUser=%audio)(sudoUser=%cdrom)(sudoUser=%dialout)
| (sudoUser=%tape)(sudoUser=%video)(sudoUser=%games)(sudoUser=%cdrw)
| (sudoUser=%usb)(sudoUser=%users)(sudoUser=%portage)(sudoUser=%portage)
| (sudoUser=ALL))'     
| found:cn=MR,ou=SUDOers,dc=rennings.homexxxxx,dc=net 
| ldap sudoHost 'ALL' ... MATCH! 
| ldap sudoCommand '/usr/sbin/traceroute' ... not 
| ldap sudoCommand '/usr/bin/emerge sync' ... not 
| found:cn=%wheel,ou=SUDOers,dc=rennings.homexxxxx,dc=net 
| ldap sudoHost 'ALL' ... MATCH! 
| ldap sudoCommand 'ALL' ... MATCH! 
| Perfect Matched! 
| user_matches=-1 
| host_matches=-1 
| sudo_ldap_check(0)=0x02 
| Password: 
| sudo: contact your system administrator, Account or password is expired 
| Sorry, try again. 
| sudo: contact your system administrator, Account or password is expired 
| Sorry, try again. 
| sudo: contact your system administrator, Account or password is expired 
| Sorry, try again. 
| sudo: 3 incorrect password attempts 
# I've got only one password prompt and directly the three error messages.

TIA
Ciao,
Markus
-- 
A: Weil es die Lesbarkeit des Textes verschlechtert.
Q: Warum ist TOFU so schlimm?
A: TOFU
F: Was ist das groesste Aergerniss im Usenet?

More information about the sudo-workers mailing list