On 09/12/2013 10:02 AM, Bright, Daniel wrote: > > Jakub, I took your advice and turned debugging to level 9, this is > what I am seeing in the logs: > > > > ======================================================================================================= > > [r...@some.server.com sssd]# tail -f sssd_LDAP.log | grep sdap_exop > > (Thu Sep 12 09:44:57 2013) [sssd[be[LDAP]]] > [sdap_exop_modify_passwd_send] (0x0100): Executing extended operation > > (Thu Sep 12 09:44:57 2013) [sssd[be[LDAP]]] > [sdap_exop_modify_passwd_send] (0x2000): ldap_extended_operation sent, > msgid = 3 > > (Thu Sep 12 09:44:57 2013) [sssd[be[LDAP]]] > [sdap_exop_modify_passwd_done] (0x0200): Server returned no controls. > > (Thu Sep 12 09:44:57 2013) [sssd[be[LDAP]]] > [sdap_exop_modify_passwd_done] (0x0080): ldap_extended_operation > result: Constraint violation(19), Failed to update password > > ======================================================================================================= > > > > > > Here is some more relevant log information: > > > > ======================================================================================================= > > [r...@some.server.com sssd]# tail -f sssd_LDAP.log | grep sdap_exop > > (Thu Sep 12 09:44:57 2013) [sssd[be[LDAP]]] > [sdap_exop_modify_passwd_send] (0x0100): Executing extended operation > > (Thu Sep 12 09:44:57 2013) [sssd[be[LDAP]]] > [sdap_exop_modify_passwd_send] (0x2000): ldap_extended_operation sent, > msgid = 3 > > (Thu Sep 12 09:44:57 2013) [sssd[be[LDAP]]] > [sdap_exop_modify_passwd_done] (0x0200): Server returned no controls. > > (Thu Sep 12 09:44:57 2013) [sssd[be[LDAP]]] > [sdap_exop_modify_passwd_done] (0x0080): ldap_extended_operation > result: Constraint violation(19), Failed to update password > > > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] [sdap_sys_connect_done] > (0x0100): Executing START TLS > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] [sdap_process_result] > (0x2000): Trace: sh[0x90d340], connected[1], ops[0x9cb7d0], ldap[0x9e8030] > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] [sdap_process_message] > (0x4000): Message type: [LDAP_RES_EXTENDED] > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] [sdap_connect_done] > (0x0080): START TLS result: Success(0), Start TLS request > accepted.Server willing to negotiate SSL. > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] [fo_set_port_status] > (0x0100): Marking port 389 of server 'atl01osd110.vsi.com' as 'working' > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] [set_server_common_status] > (0x0100): Marking server 'atl01osd110.vsi.com' as 'working' > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] [ldb] (0x4000): Added > timed event "ltdb_callback": 0x98db10 > > > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] [ldb] (0x4000): Added > timed event "ltdb_timeout": 0x9e8cf0 > > > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] [ldb] (0x4000): Destroying > timer event 0x9e8cf0 "ltdb_timeout" > > > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] [ldb] (0x4000): Ending > timer event 0x98db10 "ltdb_callback" > > > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] > [find_password_expiration_attributes] (0x4000): No password policy > requested. > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] [simple_bind_send] > (0x0100): Executing simple bind as: > uid=user1,ou=People,dc=some,dc=company,dc=com > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] [simple_bind_send] > (0x2000): ldap simple bind sent, msgid = 2 > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] [sdap_process_result] > (0x2000): Trace: sh[0x90d340], connected[1], ops[0x900e80], ldap[0x9e8030] > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] [sdap_process_result] > (0x2000): Trace: ldap_result found nothing! > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] [sdap_process_result] > (0x2000): Trace: sh[0x90d340], connected[1], ops[0x900e80], ldap[0x9e8030] > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] [sdap_process_message] > (0x4000): Message type: [LDAP_RES_BIND] > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] [simple_bind_done] > (0x2000): Server returned control [1.3.6.1.4.1.42.2.27.8.5.1]. > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] [simple_bind_done] > (0x1000): Password Policy Response: expire [346806] grace [-1] error > [No error]. > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] [simple_bind_done] > (0x1000): Password will expire in [346806] seconds. > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] [simple_bind_done] > (0x2000): Server returned control [2.16.840.1.113730.3.4.5]. > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] [simple_bind_done] > (0x1000): Password will expire in [346806] seconds. > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] [simple_bind_done] > (0x0400): Bind result: Success(0), no errmsg set > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] [auth_bind_user_done] > (0x4000): Found ppolicy data, assuming LDAP password policies are active. > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] [sdap_auth4chpass_done] > (0x1000): user [uid=user1,ou=People,dc=some,dc=company,dc=com] > successfully authenticated. > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] [sdap_control_create] > (0x0080): Server does not support the requested control > [1.3.6.1.4.1.42.2.27.8.5.1]. >
This is the problem. Please check your DS. On the SSSD side it was fixed in sssd-1.5.1-51.el6 so it might be something going on the DS configuration side. > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] > [sdap_exop_modify_passwd_send] (0x0100): Executing extended operation > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] > [sdap_exop_modify_passwd_send] (0x2000): ldap_extended_operation sent, > msgid = 3 > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] [sdap_process_result] > (0x2000): Trace: sh[0x90d340], connected[1], ops[0x9bf740], ldap[0x9e8030] > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] [sdap_process_result] > (0x2000): Trace: ldap_result found nothing! > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] [sdap_process_result] > (0x2000): Trace: sh[0x90d340], connected[1], ops[0x9bf740], ldap[0x9e8030] > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] [sdap_process_message] > (0x4000): Message type: [LDAP_RES_EXTENDED] > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] > [sdap_exop_modify_passwd_done] (0x0200): Server returned no controls. > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] > [sdap_exop_modify_passwd_done] (0x0080): ldap_extended_operation > result: Constraint violation(19), Failed to update password > > > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] [be_pam_handler_callback] > (0x0100): Backend returned: (3, 12, <NULL>) [Internal Error > (Authentication token is no longer valid; new one required)] > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] [be_pam_handler_callback] > (0x0100): Sending result [12][LDAP] > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] [be_pam_handler_callback] > (0x0100): Sent result [12][LDAP] > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] [sdap_handle_release] > (0x2000): Trace: sh[0x90d340], connected[1], ops[(nil)], > ldap[0x9e8030], destructor_lock[0], release_memory[0] > > (Thu Sep 12 09:54:50 2013) [sssd[be[LDAP]]] > [remove_connection_callback] (0x4000): Successfully removed connection > callback. > > ======================================================================================================= > > > > I noticed it says “Server does not support the requested control > [1.3.6.1.4.1.42.2.27.8.5.1]” looking at my 389-ds schema my password > policy OID = 2.16.840.1.113730.3.2.13, could this be the issue? > > > > Thanks, > > Daniel B. > > > > _______________________________________________ > sssd-users mailing list > sssd-users@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users