[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [pamldap] Re: Does any have LDAP password change working with "passwd"?
Looks to me like slapd is allowing you only auth access to the
userPassword attribute. You might want to look over your acl's again to
make and have your userPassword acl look something like this
access to attr=userPassword
by dn="cn=manager...." write
by self write
by anonymous auth
by * none
Hope that helps,
Andy
On Wed, 15 Aug 2001, Dax Kelson wrote:
> On Wed, 15 Aug 2001, David Wright wrote:
>
> >
> > > Is this even possible (it seems it should be)?
> >
> > Yes. I do, but it took some doing to get it working. First, pick a
> > password scheme for OpenLDAP (in /etc/openldap/slapd.conf). I chose
> > password-hash {MD5}password
> >
> > Next, tell pam_ldap to let OpenLDAP do the password hashing (in
> > /etc/ldap.conf), instead of trying to do it locally.
> > pam_password exop
>
> Many thanks for replying. I'm using nss_ldap-167 from Red Hat rawhide
> rebuilt for RH7.1. It includes pam_ldap-122.
>
> User logins work with no problems.
>
> When I run "passwd" it prompts for the current password, I type it and
> press enter.
>
> Over on the OpenLDAP server, this is what log shows.
>
> Aug 15 10:09:50 shaka slapd[9786]: => access_allowed: auth access to
> "uid=testuser,ou=People,dc=example,dc=com" "userPassword" requested
> Aug 15 10:09:50 shaka slapd[9786]: => acl_get: [1] check attr userPassword
> Aug 15 10:09:50 shaka slapd[9786]: <= acl_get: [1] acl
> uid=testuser,ou=People,dc=example,dc=com attr: userPassword
> Aug 15 10:09:50 shaka slapd[9786]: => acl_mask: access to entry
> "uid=testuser,ou=People,dc=example,dc=com", attr "userPassword" requested
> Aug 15 10:09:50 shaka slapd[9786]: => acl_mask: to all values by "", (=n)
> Aug 15 10:09:50 shaka slapd[9786]: <= check a_dn_pat: *
> Aug 15 10:09:50 shaka slapd[9786]: <= acl_mask: [1] applying read (=rscx)
> (stop)
> Aug 15 10:09:50 shaka slapd[9786]: <= acl_mask: [1] mask: read (=rscx)
> Aug 15 10:09:50 shaka slapd[9786]: => access_allowed: auth access granted
> by read (=rscx)
>
> On the client machine, this is what /var/log/messages shows:
>
> pam_ldap: error trying to bind as user
> "uid=testuser,ou=People,dc=example,dc=com" (Invalid credentials)
>
> Here is /etc/ldap.conf
>
> host shaka.example.com
> base dc=example,dc=com
> port 636
> pam_password exop
> ssl start_tls
> ssl yes
>
>
> Any and all feedback greatly appreciated.
>
> Dax
>