ldap_modify:更改密码时访问不足(50)

CentOS 前端之家
前端之家收集整理的这篇文章主要介绍了ldap_modify:更改密码时访问不足(50)前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
我正在尝试在CentOS 6.7上的新OpenLDAP安装上修改LDAP管理员密码(类似于RHEL 6.7).

我创建了一个名为change_ldap_password.ldif的文件

# Hash your password:
# slappasswd -h {SSHA} -s "my_password"

# I also tried {1}hdb instead of {0}config
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}YP8q2haCD1POSzQC3GAuBdrfaHh+/Y49

当我以root身份运行以下命令时,出现访问错误

# ldapmodify -x  -W -D "cn=admin,dc=my_domain,dc=com" -f ./change_ldap_password.ldif
Enter LDAP Password:
modifying entry "olcDatabase={0}config,cn=config"
ldap_modify: Insufficient access (50)

这是ldapwhoami的输出

# ldapwhoami -x  -W -D "cn=admin,dc=com"
Enter LDAP Password:
dn:cn=admin,dc=com

这是在cn = config中grel for olcRoot的结果:

# grep -R olcRoot /etc/openldap/slapd.d/cn=config
/etc/openldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif:olcRootDN: cn=admin,dc=com
/etc/openldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif:olcRootPW:: ...

这是ldapmodify的调试信息:

# ldapmodify -x  -W -D "cn=admin,dc=com" -f ./change_ldap_password.ldif -d1
ldap_create
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect:
connect errno: 111
ldap_close_socket: 4
ldap_int_open_connection
ldap_connect_to_path
ldap_new_socket: 4
ldap_connect_to_path: Trying /var/run/ldapi
ldap_connect_timeout: fd: 4 tm: -1 async: 0
ldap_ndelay_on: 4
ldap_close_socket: 4
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:636
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_pvt_connect: fd: 4 tm: -1 async: 0
attempting to connect:
connect success
TLS: certdb config: configDir='/etc/openldap/certs' tokenDescription='ldap(0)' certPrefix='' keyPrefix='' flags=readOnly
TLS: using moznss security dir /etc/openldap/certs prefix .
TLS: certificate [CN=my_server.my_domain.com] is valid
TLS certificate verification: subject: CN=my_server.my_domain.com,issuer: CN=my_server.my_domain.com,cipher: AES-256,security level: high,secret key bits: 256,total key bits: 256,cache hits: 0,cache misses: 0,cache not reusable: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 50 bytes to sd 4
ldap_result ld 0x184a340 msgid 1
wait4msg ld 0x184a340 msgid 1 (infinite timeout)
wait4msg continue ld 0x184a340 msgid 1 all 1
** ld 0x184a340 Connections:
* host: (null)  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Fri Oct 30 14:04:24 2015


** ld 0x184a340 Outstanding Requests:
 * msgid 1,origid 1,status InProgress
   outstanding referrals 0,parent count 0
  ld 0x184a340 request count 1 (abandoned 0)
** ld 0x184a340 Response Queue:
   Empty
  ld 0x184a340 response count 0
ldap_chkResponseList ld 0x184a340 msgid 1 all 1
ldap_chkResponseList returns ld 0x184a340 NULL
ldap_int_select
read1msg: ld 0x184a340 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x184a340 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x184a340 0 new referrals
read1msg:  mark request completed,ld 0x184a340 msgid 1
request done: ld 0x184a340 msgid 1
res_errno: 0,res_error: <>,res_matched: <>
ldap_free_request (origid 1,msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
modifying entry "olcDatabase={0}config,cn=config"
ldap_modify_ext
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 102 bytes to sd 4
ldap_result ld 0x184a340 msgid 2
wait4msg ld 0x184a340 msgid 2 (timeout 100000 usec)
wait4msg continue ld 0x184a340 msgid 2 all 1
** ld 0x184a340 Connections:
* host: (null)  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Fri Oct 30 14:04:24 2015


** ld 0x184a340 Outstanding Requests:
 * msgid 2,origid 2,parent count 0
  ld 0x184a340 request count 1 (abandoned 0)
** ld 0x184a340 Response Queue:
   Empty
  ld 0x184a340 response count 0
ldap_chkResponseList ld 0x184a340 msgid 2 all 1
ldap_chkResponseList returns ld 0x184a340 NULL
ldap_int_select
read1msg: ld 0x184a340 msgid 2 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x184a340 msgid 2 message type modify
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x184a340 0 new referrals
read1msg:  mark request completed,ld 0x184a340 msgid 2
request done: ld 0x184a340 msgid 2
res_errno: 50,res_matched: <>
ldap_free_request (origid 2,msgid 2)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string
ldap_modify: Insufficient access (50)

ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 4
ldap_free_connection: actually freed

如果我输入了错误的密码,则错误会从“访问权限不足”更改为“无效凭据”:

ldap_bind: Invalid credentials (49)

我看到了this ServerFault question,但那个是关于权限有限的用户,而不是管理员或root用户.

如何通过ldap_modify:访问(50)错误

为什么根标识为LDAP管理员无权更改密码?

如果这是推荐的解决方案,我可以重新安装slapd.我想在进一步前进之前解决错误.

编辑:在ldapi:///上转到cn = config会出现以下错误

# ldapsearch -H ldapi:/// -Y EXTERNAL -b 'cn=config' -d1
ldap_url_parse_ext(ldapi:///)
ldap_create
ldap_url_parse_ext(ldapi:///??base)
ldap_sasl_interactive_bind: user selected: EXTERNAL
ldap_int_sasl_bind: EXTERNAL
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_path
ldap_new_socket: 3
ldap_connect_to_path: Trying /var/run/ldapi
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_close_socket: 3
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

我想我在/etc/openldap/ldap.conf中定义了ldapi://但是我不确定ldapi:///

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=my_domain,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
URI     ldap:// ldapi:// ldaps://

#SIZELIMIT  12
#TIMELIMIT  15
#DEREF          never

TLS_CACERTDIR /etc/openldap/certs

编辑2:我得到了相同的ldap_sasl_interactive_bind_s:停止防火墙(服务iptables停止)后无法联系LDAP服务器(-1)错误,所以防火墙不是问题.

为了管理’cn = config’数据库,您需要’cn = config’管理员,而不是数据DB的管理员.
在debian中,这样的管理员是root用SASL TLS External.尝试 
sudo ldapsearch -H ldapi:/// -Y EXTERNAL -b 'cn=config'

确认上述作品后,您可以更改密码.首先,哈希值:

slappasswd -h {SSHA} -s "my_password"

然后,将散列值粘贴到ldif文件中,例如./change_ldap_password.ldif:

dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}cZbRoOhRew8MBiWGSEOiFX0XqbAQwXUr

最后,应用ldif文件

sudo ldapmodify -H ldapi:/// -Y EXTERNAL -D 'cn=config' -f ./change_ldap_password.ldif

不鼓励使用ldapmodify更改密码.如果用户存在(不是这种情况),ldappasswd会更好.

原文链接:https://www.f2er.com/centos/373502.html

猜你在找的CentOS相关文章

Centos7离线安装gcc4.8
有时候CentOS工作在无互联网的环境下,需要在离线环境下安装一些组件,这次实现的是模拟在...
CentOS7离线安装devtoolset-9并编译redis6.0.5
首先参照https://www.cnblogs.com/wdw984/p/13330074.html,来进行如何安装Centos和离线下...
使用Nginx在80端口上代理多个.NET CORE网站
有两个.NET CORE3.1网站部署在CentOS7上(内网IP是192.168.2.32),现在想实现访问http://...
CentOS7中配置vsftpd
1、yum -y install vsftpd 安装vsftpd 2、配置vsftpd的配置文件(/etc/vsftpd/vsftpd.conf...
CentOS7离线安装Mysql8.0
首先去mysql官网下载mysql的离线rpm安装包(https://downloads.mysql.com/archives/commun...
CentOS中增加网络连接数的方法
CentOS默认对外访问,发起的TCP链接总数小于28232个。 可以通过以下命令的结果计算出来 $ ...
VMware安装Centos7虚拟机
首先安装虚拟机很简单,所以呢,具体的安装过程就引用别人的博客,这篇文字很详细,引用之...
[Linux] 解决CentOS下Requires: libjson-c.so错误
当安装某些rpm包的时候 , 会爆出这个错误 Requires: libjson-c.so json-c是c语言下的json库...
阿里云centos7安装mysql8数据库
linux系统安装mysql8
centos安装mysql
一、安装 二、修改密码 三、修改远程连接权限(为了使用navicat)
LinuxWindowsCentOSUbuntuNginxWebServiceScalaMemcacheApacheRedisDockerBashAzureTomcatLNMPShell数据结构服务器运维网络安全
xebugnodemondocker-copydcoselasticsearcwindows-contdocker-windodocker-awsamazon-cloudenvoyproxyhashicorp-vaswisscomdevkafka-pythonzscalerphoton-osdocker-swarmkamongoogle-cloudconcoursewso2-ampersistent-vapi-managerprocess-manamanjarojenkins-workhypriotremoteapikeystonejsbitcoindbitcoin-test