Problem: 'No such attribute', 'ctrls': [], 'info': "attribute 'dBCSPwd': no such attribute for delete on <dn>"

Knowledge Base Community
, ,
1

Problem:

S4-Connector reject:

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/univention/s4connector/__init__.py", line 785, in __sync_file_from_ucs
    if not self.sync_from_ucs(key, mapped_object, pre_mapped_ucs_dn, old_dn, old, new):
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/univention/s4connector/s4/__init__.py", line 2291, in sync_from_ucs
    post_con_modify_function(self, property_type, object)
  File "/usr/lib/python3/dist-packages/univention/s4connector/s4/password.py", line 652, in password_sync_ucs_to_s4
    s4connector.lo_s4.lo.modify_ext_s(object['dn'], modlist, serverctrls=[ctrl_bypass_password_hash])
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 400, in modify_ext_s
    resp_type, resp_data, resp_msgid, resp_ctrls = self.result3(msgid,all=1,timeout=self.timeout)
                                                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 543, in result3
    resp_type, resp_data, resp_msgid, decoded_resp_ctrls, retoid, retval = self.result4(
                                                                           ^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 553, in result4
    ldap_result = self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 128, in _ldap_call
    result = func(*args,**kwargs)
ldap.NO_SUCH_ATTRIBUTE: {'msgtype': 103, 'msgid': 115283, 'result': 16, 'desc': 'No such attribute', 'ctrls': [], 'info': "attribute 'dBCSPwd': no such attribute for delete on CN=cscheini,OU=mitarbeiter,DC=schein,DC=me

The impact is, that the user passwords for these users are no longer synchronized which is in most scenarios critical

Investigation:

dBCSPwd and sambaLMPassword are both LDAP attributes used to store the LAN Manager (LM) hash of a user’s password, primarily for authentication in older Samba or Windows environments.

Key Differences:
sambaLMPassword: A custom attribute specifically used by Samba LDAP schemas to store the LM hash. It is typically paired with sambaNTPassword (the NT hash).
dBCSPwd: An attribute often used in conjunction with dBCS-Pwd or ntPassword (or sambaNTPassword) in RADIUS/LDAP configurations, particularly in scenarios involving FreeRADIUS and Synology LDAP, often requiring the LM hash for older MSCHAPv2 authentication methods.

The LM hash is considered obsolete and insecure. Modern systems generally use NTLM hashes (sambaNTPassword or ntPassword) or Kerberos.
Active Directory: In Active Directory (AD), the LM hash is generally empty, often represented as XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX.

In old long runnning environments user might still have set the LM Password hash. In samba the attribute is called dBCSPwd

In ucs we have this ucr variable enabling synchr

ucr get password/samba/lmhash

Solution:

cat remove-lmhash.ldif
uid=cscheini,ou=mitarbeiter,dc=schein,dc=me 
changetype: modify
delete: sambaLMPassword

ldapmodify -x -D cn=admin,$ldap_base -y /etc/ldap.secret -f remove-lmhash.ldif

Or using the script: