Problem: Login Issues in UCS Portal and LDAP Authentication Errors

Knowledge Base Community
, , , ,
1

Problem

Users are experiencing login issues with the UCS portal, as indicated by errors found in /var/log/user.log:

Nov 11 09:47:36 ucs python3 /usr/sbin/univention-management-console-server: inexistant user user_123

Despite these login failures, direct LDAP connections remain functional, allowing applications reliant on LDAP authentication to continue working.

An excerpt from /var/log/auth.log shows the following error when attempting to log in:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/univention/management/console/ldap.py", line 188, in getter
    raise KeyError()
KeyError
...
ldap.INVALID_CREDENTIALS: {'desc': 'Invalid credentials'}

An attempt to reset the machine password following the instructions temporarily restored login functionality. However, the issue reoccurred within a few minutes.

Investigation

The root cause of the issue was identified as the password policy (ppolicy). The machine password was changed but not properly acknowledged, which led to login failures. This was evident by checking the pwdFailureTime and pwdAccountLockedTime attributes on the machine object cn=ucs.

Solution

To resolve the issue, we executed the following steps:

  1. Temporarily disable the password policy and restart the LDAP service:

    ucr set ldap/ppolicy/enabled=no && systemctl restart slapd

  2. Adjust the machine password change interval and manually change the password:

    ucr set server/password/interval='-1'
/usr/lib/univention-server/server_password_change
ucr set server/password/interval='21'

  3. Re-enable the password policy and restart the LDAP service:

    ucr set ldap/ppolicy/enabled=yes && systemctl restart slapd

  4. Remove the pwdFailureTime and pwdAccountLockedTime attributes from the machine object using an LDIF file:

    Create a file named remove_pwdfailure.ldif with the following content:

    dn: cn=ucs,cn=dc,cn=computers,dc=domain,dc=intranet
changetype: modify
delete: pwdFailureTime
-
delete: pwdAccountLockedTime

    Apply the LDIF file using the following command:

    ldapmodify -x -D cn=admin,$(ucr get ldap/base) -y /etc/ldap.secret -f remove_pwdfailure.ldif -e relax
3

This topic was automatically closed after 24 hours. New replies are no longer allowed.