Il problema

Gli utenti non possono cambiare la loro password utilizzando Preferenze di sistema - > Utenti e amp; Gruppi su un Mac collegato a un server LDAP (in particolare, OpenLDAP).

Questo errore sembra essere il risultato di OS X 10.7.4 che ora invia il nome utente dell'utente piuttosto che il suo DN completo (ad esempio, sta inviando bobsmith , non uid=bobsmith,ou=Users,dc=companyname,dc=com ).

(un bug report per questo problema è stato archiviato con Apple e può essere visto su OpenRader @ link )

Procedura per la riproduzione:

Prova a cambiare la password utilizzando Preferenze di sistema - > Utenti e amp; Gruppi prefpane su Lion (modifica: o Mountain Lion). Non riesce con il seguente messaggio di errore:

The password for the account “bobsmith” was not changed. Your system administrator may not allow you to change your password or there was some other problem with your password. Contact your system administrator for help.

Risultati previsti:

La password deve essere cambiata.

Risultati effettivi:

L'errore appare e sul server LDAP viene registrato un errore simile al seguente:

Jun 28 08:42:21 ldap3 slapd[7810]: conn=10518785 op=2 RESULT oid= err=21 text=Invalid DN

Questo errore sembra essere il risultato di OS X 10.7.4 che ora invia il nome utente dell'utente invece del loro DN completo (ad esempio, sta inviando bobsmith , non uid=bobsmith,ou=Users,dc=companyname,dc=com )

Note: Ciò è stato rilevato da qualcun altro nei forum di AFP548.com Chi ha terminato l'installazione del proprio server LDAP per risolvere il problema. Tuttavia, ciò non dovrebbe richiedere la risoluzione delle patch LDAP. Lion e Mountain Lion devono (almeno avere un'opzione per) inviare il DN completo di un utente che richiede di cambiare la propria password, non il nome utente breve:

Testo dal link del forum sopra (nel caso in cui sia rimosso):

So, I’ve got this OpenLDAP server with network home directories at home that all of my Mac machines authenticate to. Everybody can bounce around to whatever Mac is available. It works great.

Anyway, with Snow Leopard, I was able to change user passwords via System Preferences. However, that got broken when I upgraded to Lion and Mountain Lion (amongst other things). Both Snow Leopard, Lion, and Mountain Lion send exop’s to the ldap server, but for whatever reason, the id is screwed up in Lion and Mountain Lion (or at least, it’s screwed up on the two machines at home I tested this with). Instead of sending the user’s DN, e.g. “uid=user,cn=users,ou=something,dc=somewhere,dc=com”, the ldap server is only sent the uid, e.g. “user”. The ldap server is expecting a DN here, so naturally, it fails with the error “Invalid DN”.

Bummer.

So, to work around that, I had to patch OpenLDAP (version 2.4.26 in this case). Now, when my server can’t resolve the id it’s given during a password change, it will look at the bind DN, and if the id string is contained within the bind DN string, it will just use the bind DN as the entry to change. I figured this would still allow me to manually specify password changes via an admin account while still giving users the ability to change their own passwords without having to point them at a webpage (lame).

I should point out that all my accounts have the uid as part of the DN… I guess if you were doing some kind of crazy SASL mappings, this might not work for you…

Anyway, here’s the patch in case anyone else is interested… If it works for you, great. If not, oh well.

-- passwd.c 2011-06-30 11:13:36.000000000 -0400
+++ passwd.lion_compatability.c 2012-02-13 22:48:54.213214617 -0500
@@ -18,4 +18,5 @@

 #include 
+#include 

 #include 
@@ -59,4 +60,5 @@
    int freenewpw = 0;
    struct berval dn = BER_BVNULL, ndn = BER_BVNULL;
+   ber_int_t err;

    assert( ber_bvcmp( &slap_EXOP_MODIFY_PASSWD, &op->ore_reqoid ) == 0 );
@@ -102,11 +104,8 @@

    if ( !BER_BVISEMPTY( &id ) ) {
-       rs->sr_err = dnPrettyNormal( NULL, &id, &dn, &ndn, op->o_tmpmemctx );
-       id.bv_val[id.bv_len] = idNul;
-       if ( rs->sr_err != LDAP_SUCCESS ) {
-           rs->sr_text = "Invalid DN";
-           rc = rs->sr_err;
-           goto error_return;
-       }
+       err = dnPrettyNormal( NULL, &id, &dn, &ndn, op->o_tmpmemctx );
+   }
+
+   if ( !BER_BVISEMPTY( &id ) && (err == LDAP_SUCCESS) ) {
        op->o_req_dn = dn;
        op->o_req_ndn = ndn;
@@ -116,4 +115,16 @@
        ber_dupbv_x( &dn, &op->o_dn, op->o_tmpmemctx );
        ber_dupbv_x( &ndn, &op->o_ndn, op->o_tmpmemctx );
+       if ( !BER_BVISEMPTY( &id ) ) {
+           /* See if the id matches the bind dn */
+           if ( strstr( dn.bv_val, id.bv_val ) == NULL )
+           {
+               rs->sr_err = err; /* From dnPrettyNormal */
+               rs->sr_text = "Invalid DN";
+               rc = rs->sr_err;
+               goto error_return;
+           }
+           Statslog( LDAP_DEBUG_STATS, "%s Invalid id (%s) specified; using bind DN (%s)\n",
+                   op->o_log_prefix, id.bv_val, dn.bv_val, 0, 0 );
+       }
        op->o_req_dn = dn;
        op->o_req_ndn = ndn;
@@ -123,4 +134,8 @@
    }

+   if ( !BER_BVISEMPTY( &id ) ) {
+       id.bv_val[id.bv_len] = idNul;
+   }
+
    if( op->o_bd == NULL ) {
        if ( qpw->rs_old.bv_val != NULL ) {
"

UPDATE (ancora non funziona, comunque)

Ho provato a cambiare la password con dscl, in questo modo:

$ dscl -u bobsmith -p /LDAPv3/ldap -passwd /Users/bobsmith           

... e questo ha generato quanto segue dopo aver inserito la mia password corrente e una nuova:

Password: 
New Password: 
passwd: DS error: eNotYetImplemented
 DS Error: -14988 (eNotYetImplemented)

Sul mio server OpenLDAP, ha generato:

Jul  3 11:47:51 ldap slapd[7810]: conn=12282745 fd=1633 ACCEPT from IP=10.0.1.3:64485 (IP=0.0.0.0:636)
Jul  3 11:47:51 ldap slapd[7810]: conn=12282745 fd=1633 closed (TLS negotiation failure)
Jul  3 11:47:51 ldap slapd[7810]: conn=12282746 fd=1633 ACCEPT from IP=10.0.1.3:64486 (IP=0.0.0.0:636)
Jul  3 11:47:51 ldap slapd[7810]: conn=12282746 fd=1633 TLS established tls_ssf=256 ssf=256
Jul  3 11:47:51 ldap slapd[7810]: conn=12282746 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Jul  3 11:47:51 ldap slapd[7810]: conn=12282746 op=0 SRCH attr=supportedSASLMechanisms defaultNamingContext namingContexts schemaNamingContext
Jul  3 11:47:51 ldap slapd[7810]: conn=12282746 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul  3 11:47:51 ldap slapd[7810]: conn=12282746 op=1 BIND dn="uid=bobsmith,ou=Users,dc=mycompany,dc=com" method=128
Jul  3 11:47:51 ldap slapd[7810]: conn=12282746 op=1 BIND dn="uid=bobsmith,ou=Users,dc=mycompany,dc=com" mech=SIMPLE ssf=0
Jul  3 11:47:51 ldap slapd[7810]: conn=12282746 op=1 RESULT tag=97 err=0 text=
Jul  3 11:47:56 ldap slapd[7810]: conn=12282746 op=2 SRCH base="ou=Users,dc=mycompany,dc=com" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=bobsmith)(cn=bobsmith)))"
Jul  3 11:47:56 ldap slapd[7810]: conn=12282746 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul  3 11:47:56 ldap slapd[7810]: conn=12282746 op=3 SRCH base="ou=Users,dc=mycompany,dc=com" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=bobsmith)(cn=bobsmith)))"
Jul  3 11:47:56 ldap slapd[7810]: conn=12282746 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul  3 11:47:56 ldap slapd[7810]: conn=12282746 op=4 SRCH base="ou=Users,dc=mycompany,dc=com" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=bobsmith)(cn=bobsmith)))"
Jul  3 11:47:56 ldap slapd[7810]: conn=12282746 op=4 SRCH attr=objectClass apple-generateduid uid uidNumber userPassword cn
Jul  3 11:47:56 ldap slapd[7810]: conn=12282746 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul  3 11:47:56 ldap slapd[7810]: conn=12282746 op=5 EXT oid=1.3.6.1.4.1.4203.1.11.1
Jul  3 11:47:56 ldap slapd[7810]: conn=12282746 op=5 PASSMOD old
Jul  3 11:47:56 ldap slapd[7810]: conn=12282746 op=5 RESULT oid= err=53 text=old password value is empty
Jul  3 11:47:56 ldap slapd[7810]: conn=12282746 op=6 UNBIND
Jul  3 11:47:56 ldap slapd[7810]: conn=12282746 fd=1633 closed

Se eseguo lo stesso comando dscl da una macchina Snow Leopard, funziona senza errori:

$ dscl -u bobsmith -p /LDAPv3/myldapserver.com -passwd /Users/bobsmith
Password: 
New Password: 

Genera questi registri sul server

Jul  3 12:03:29 ldap slapd[7810]: conn=12293658 fd=1283 ACCEPT from IP=10.0.1.2:51013 (IP=0.0.0.0:636)
Jul  3 12:03:29 ldap slapd[7810]: conn=12293658 fd=1283 TLS established tls_ssf=256 ssf=256
Jul  3 12:03:29 ldap slapd[7810]: conn=12293658 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Jul  3 12:03:29 ldap slapd[7810]: conn=12293658 op=0 SRCH attr=supportedSASLMechanisms namingContexts dnsHostName krbName
Jul  3 12:03:29 ldap slapd[7810]: conn=12293658 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul  3 12:03:29 ldap slapd[7810]: conn=12293658 op=1 UNBIND
Jul  3 12:03:29 ldap slapd[7810]: conn=12293658 fd=1283 closed
Jul  3 12:03:29 ldap slapd[7810]: conn=12293659 fd=1283 ACCEPT from IP=10.0.1.2:51014 (IP=0.0.0.0:636)
Jul  3 12:03:29 ldap slapd[7810]: conn=12293659 fd=1283 TLS established tls_ssf=256 ssf=256
Jul  3 12:03:29 ldap slapd[7810]: conn=12293659 op=0 SRCH base="" scope=0 deref=0 filter="(objectClass=*)"
Jul  3 12:03:29 ldap slapd[7810]: conn=12293659 op=0 SRCH attr=supportedSASLMechanisms namingContexts dnsHostName krbName
Jul  3 12:03:29 ldap slapd[7810]: conn=12293659 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul  3 12:03:29 ldap slapd[7810]: conn=12293659 op=1 BIND dn="uid=bobsmith,ou=Users,dc=mycompany,dc=com" method=128
Jul  3 12:03:29 ldap slapd[7810]: conn=12293659 op=1 BIND dn="uid=bobsmith,ou=Users,dc=mycompany,dc=com" mech=SIMPLE ssf=0
Jul  3 12:03:29 ldap slapd[7810]: conn=12293659 op=1 RESULT tag=97 err=0 text=
Jul  3 12:03:31 ldap slapd[7810]: conn=12293659 op=2 SRCH base="ou=Users,dc=mycompany,dc=com" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=bobsmith)(cn=bobsmith)))"
Jul  3 12:03:31 ldap slapd[7810]: conn=12293659 op=2 SRCH attr=uid cn
Jul  3 12:03:31 ldap slapd[7810]: conn=12293659 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul  3 12:03:31 ldap slapd[7810]: conn=12293659 op=3 SRCH base="ou=Users,dc=mycompany,dc=com" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=bobsmith)(cn=bobsmith)))"
Jul  3 12:03:31 ldap slapd[7810]: conn=12293659 op=3 SRCH attr=uid cn
Jul  3 12:03:31 ldap slapd[7810]: conn=12293659 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul  3 12:03:31 ldap slapd[7810]: conn=12293659 op=4 SRCH base="ou=Users,dc=mycompany,dc=com" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=bobsmith)(cn=bobsmith)))"
Jul  3 12:03:31 ldap slapd[7810]: conn=12293659 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul  3 12:03:31 ldap slapd[7810]: conn=12293659 op=5 EXT oid=1.3.6.1.4.1.4203.1.11.1
Jul  3 12:03:31 ldap slapd[7810]: conn=12293659 op=5 PASSMOD id="uid=bobsmith,ou=Users,dc=mycompany,dc=com" new
Jul  3 12:03:31 ldap slapd[7810]: conn=12293659 op=5 RESULT oid= err=0 text=
Jul  3 12:03:31 ldap slapd[7810]: conn=12293659 op=6 SRCH base="ou=Users,dc=mycompany,dc=com" scope=2 deref=0 filter="(&(|(objectClass=posixAccount)(objectClass=inetOrgPerson)(objectClass=shadowAccount))(|(uid=bobsmith)(cn=bobsmith)))"
Jul  3 12:03:31 ldap slapd[7810]: conn=12293659 op=6 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jul  3 12:03:32 ldap slapd[7810]: conn=12293659 op=7 UNBIND
Jul  3 12:03:32 ldap slapd[7810]: conn=12293659 fd=1283 closed