[Date Prev][Date Next] [Chronological] [Thread] [Top]

Does any have LDAP password change working with "passwd"?



I've dug through many email list archives.  I've found other cases where
people had similiar problems, but no solutions posted.

Is this even possible (it seems it should be)?

Dax

On Tue, 14 Aug 2001, Dax Kelson wrote:

>
> Users can login with NO problems.  Changing the passwords is the problem.
>
> Running passwd gives:
>
> Enter login(LDAP) password: [password entered]
> LDAP Password incorrect: try again  (this comes back very quickly)
> Enter login(LDAP) password: [password entered]
> (etc, etc)
>
> The the machine where the user is trying to change the password,
> /var/log/message shows:
>
> passwd[14697]: pam_ldap: error trying to bind as user
> "uid=testuser,ou=People,dc=example,dc=com" (Invalid credentials)
>
> Configuration follows:
>
> I've setup an OpenLDAP 2.0.11 server, here are the access control lines
> (taken from the Administrator's Guide).  I imported everything using the
> PADL migration scripts.
>
> access to * by * read
> access to attr=userPassword
>         by self write
>         by anonymous auth
>         by * none
> access to *
>         by self write
>         by users read
> access to * by users read
>
>
> === On the clients /etc/ldap.conf
> host server1.example.com server2.example.com
> base dc=example,dc=com
> port 636
> ssl start_tls
> ssl yes
>
> # cat /etc/pam.d/passwd
> #%PAM-1.0
> auth       required     /lib/security/pam_stack.so service=system-auth
> account    required     /lib/security/pam_stack.so service=system-auth
> password   required     /lib/security/pam_stack.so service=system-auth
>
> # cat /etc/pam.d/system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      /lib/security/pam_env.so
> auth        sufficient    /lib/security/pam_unix.so likeauth nullok
> auth        sufficient    /lib/security/pam_ldap.so use_first_pass
> auth        required      /lib/security/pam_deny.so
>
> account     required      /lib/security/pam_unix.so
> account     [default=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so
>
> password    required      /lib/security/pam_cracklib.so retry=3
> password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow
> password    sufficient    /lib/security/pam_ldap.so use_authtok
> password    required      /lib/security/pam_deny.so
>
> session     required      /lib/security/pam_limits.so
> session     required      /lib/security/pam_unix.so
> session     optional      /lib/security/pam_ldap.so
>
>
>
>