Q. All the LDAP users unable to login and getting access denied error. How to fix without losing any of user information?
First check whether the user’s password expired or locked
Step1
1. This command retrieve user password status related ppolicy. The password expired/locked will be notified.
#ldapwhoami -xW -D uid=emp1,ou=people,dc=sunt,dc=com -v -e ppolicy
Note: You need to enter user emp1 credentials.
2. Use this simple script to find all the user password age. Replace the ROOTDN and ROOTPW with appropriate values.
#ROOTDN=”Your rootdn value”
#ROOTPW=”Your rootdn password”
for i in `ldapsearch -xw $ROOTPW -D $ROOTDN -b dc=sunt,dc=com -LLL '(&(userpassword=*)(pwdchangedtime=*))' dn|awk '{print $2}'`
do
USERID=`echo $i|awk -F, '($1~uid){print $1}'|awk -F= '{print $2}'`
PWCGE=`ldapsearch -xw $ROOTPW -D $ROOTDN -b $i -LLL pwdchangedtime|grep -i ^pwdchangedtime|awk '{print $2}'|sed 's/Z//'`
EXDTE=`echo $PWCGE |cut -c 1-8`
EXTME=`echo $PWCGE |cut -c 9- |sed 's/.\{2\}/&:/g' |cut -c -8`
EXSEC=`date -d "$EXDTE $EXTME" +%s`
CDSEC=`date -u +%s`
DIFF=`expr \( $CDSEC / 86400 \) - \( $EXSEC / 86400 \)`
echo “$USERID password age is $DIFF”
done
Does the users password has expired? If yes, now LDAP admin have to reset password for each user. It is not so easy task. Wouldn’t be great if there is any simple solution?
Step2
Yeah, using LDAP query and modify command reset all user password to the same existing one.
#ROOTDN=”Your rootdn value” #ROOTPW=”Your rootdn password” #ldapsearch -xw $ROOTPW -D $ROOTDN -b dc=sunt,dc=com -LLL '(&(userpassword=*)(pwdchangedtime=*))' userpassword | \ sed '/^userPassword:/ i\replace: userpassword'|ldapmodify -xw $ROOTPW -D $ROOTDN
This command set the last password changed time to current time. It will never change the password.
Step3
Now all users password is active. But prior it was in expiry state. So the account might get locked. It must be unlocked.
Use this command to get list of locked accounts from LDAP.
# ldapsearch -xw $ROOTPW -D $ROOTDN –b dc=sunt,dc=com -LLL '(&(userpassword=*)(pwdAccountLockedTime=*))' pwdaccountlockedtime
The below command unlock all the users account password immediately.
#ldapsearch -xw $ROOTPW -D $ROOTDN -b dc=sunt,dc=com -LLL '(&(userpassword=*)(pwdAccountLockedTime=*))' dn | \ sed '/^dn:/ a\delete: pwdAccountLockedTime' |ldapmodify -xw $ROOTPW -D $ROOTDN
Now the users will be able login with their current password.
Did this post helped you? If you have any comments/suggestion, write here.