[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problem changing LDAP passwords with "passwd"

To: "openldap-software@OpenLDAP.org" <openldap-software@OpenLDAP.org>
Subject: Problem changing LDAP passwords with "passwd"
From: Dax Kelson <dax@gurulabs.com>
Date: Tue, 14 Aug 2001 11:40:00 -0600 (MDT)

Users can login with NO problems.  Changing the passwords is the problem.

Running passwd gives:

Enter login(LDAP) password: [password entered]
LDAP Password incorrect: try again  (this comes back very quickly)
Enter login(LDAP) password: [password entered]
(etc, etc)

The the machine where the user is trying to change the password,
/var/log/message shows:

passwd[14697]: pam_ldap: error trying to bind as user
"uid=testuser,ou=People,dc=example,dc=com" (Invalid credentials)

Configuration follows:

I've setup an OpenLDAP 2.0.11 server, here are the access control lines
(taken from the Administrator's Guide).  I imported everything using the
PADL migration scripts.

access to * by * read
access to attr=userPassword
        by self write
        by anonymous auth
        by * none
access to *
        by self write
        by users read
access to * by users read


=== On the clients /etc/ldap.conf
host server1.example.com server2.example.com
base dc=example,dc=com
port 636
ssl start_tls
ssl yes

# cat /etc/pam.d/passwd
#%PAM-1.0
auth       required     /lib/security/pam_stack.so service=system-auth
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth

# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_ldap.so use_first_pass
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so
account     [default=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so

password    required      /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/pam_ldap.so use_authtok
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_ldap.so

Follow-Ups:
- Does any have LDAP password change working with "passwd"?
  - From: Dax Kelson <dax@gurulabs.com>

Prev by Date: RE: [courier-users] courier-imap-1.3.9 make check failure
Next by Date: ldapmodify
Index(es):
- Chronological
- Thread