Problem

In a customer environment, the password of a users is expired by policy. Logging in by UMC without SSO the user is properly asked to update the password. Keycloak and LDAP-Bind on the other hand allow the login without any issues.

Expected behaviour for ldapsearch with specified binddn would be

ldapsearch -o ldif-wrap=no -ZZ -D uid=charly.chap,cn=users,dc=schein,dc=me -W
Enter LDAP Password: 
ldap_bind: Invalid credentials (49)
        additional info: password expired

Environment (optional)

• Samba Installed
• UCS 5.x
• Updated since 4.2 or earlier

Solution

The UCR Variable ldap/shadowbind is probably false and needs to be set to true, as:

With Univention Corporate Server 4.2 the OpenLDAP server by default denies the LDAP bind if passwords or the accounts are expired. This feature is not activated for systems updated to Univention Corporate Server 4.2. but can be activated by setting the Univention Configuration Registry variable ldap/shadowbind to true.
UCS 4.2 Release Notes

Investigation

Compare the active overlays of a working and non working system using:
ldapsearch -LLL -H ldapi:// -Q -Y EXTERNAL -b "cn=config" 'objectClass=olcOverlayConfig' olcOverlay dn
→ shadowbind missing

ucr search shadowbind
→ ldap/shadowbind: false

This topic was automatically closed after 24 hours. New replies are no longer allowed.