[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [pamldap] Re: Does any have LDAP password change working with "passwd"?
On Wed, 15 Aug 2001, David Wright wrote:
>
> > Is this even possible (it seems it should be)?
>
> Yes. I do, but it took some doing to get it working. First, pick a
> password scheme for OpenLDAP (in /etc/openldap/slapd.conf). I chose
> password-hash {MD5}password
>
> Next, tell pam_ldap to let OpenLDAP do the password hashing (in
> /etc/ldap.conf), instead of trying to do it locally.
> pam_password exop
Many thanks for replying. I'm using nss_ldap-167 from Red Hat rawhide
rebuilt for RH7.1. It includes pam_ldap-122.
User logins work with no problems.
When I run "passwd" it prompts for the current password, I type it and
press enter.
Over on the OpenLDAP server, this is what log shows.
Aug 15 10:09:50 shaka slapd[9786]: => access_allowed: auth access to
"uid=testuser,ou=People,dc=example,dc=com" "userPassword" requested
Aug 15 10:09:50 shaka slapd[9786]: => acl_get: [1] check attr userPassword
Aug 15 10:09:50 shaka slapd[9786]: <= acl_get: [1] acl
uid=testuser,ou=People,dc=example,dc=com attr: userPassword
Aug 15 10:09:50 shaka slapd[9786]: => acl_mask: access to entry
"uid=testuser,ou=People,dc=example,dc=com", attr "userPassword" requested
Aug 15 10:09:50 shaka slapd[9786]: => acl_mask: to all values by "", (=n)
Aug 15 10:09:50 shaka slapd[9786]: <= check a_dn_pat: *
Aug 15 10:09:50 shaka slapd[9786]: <= acl_mask: [1] applying read (=rscx)
(stop)
Aug 15 10:09:50 shaka slapd[9786]: <= acl_mask: [1] mask: read (=rscx)
Aug 15 10:09:50 shaka slapd[9786]: => access_allowed: auth access granted
by read (=rscx)
On the client machine, this is what /var/log/messages shows:
pam_ldap: error trying to bind as user
"uid=testuser,ou=People,dc=example,dc=com" (Invalid credentials)
Here is /etc/ldap.conf
host shaka.example.com
base dc=example,dc=com
port 636
pam_password exop
ssl start_tls
ssl yes
Any and all feedback greatly appreciated.
Dax