[Date Prev][Date Next] [Chronological] [Thread] [Top]

FW: pam_ldap OpenLDAP Insufficient access, multiple password prom pts, password encryption

To: "'openldap-software@openldap.org'" <openldap-software@OpenLDAP.org>
Subject: FW: pam_ldap OpenLDAP Insufficient access, multiple password prom pts, password encryption
From: Greg Hodgins <greg@sabreservices.ca>
Date: Sat, 2 Mar 2002 07:35:03 -0500

> I'm not sure why, but this appeared to get bounced the first time.  Maybe
> I was a little too quick after the confirmation.
> 
> 
>  -----Original Message-----
> From: 	Greg Hodgins  
> Sent:	March 2, 2002 2:31 AM
> To:	'openldap-software@OpenLDAP.org'
> Subject:	pam_ldap OpenLDAP Insufficient access, multiple password
> prompts, password encryption
> 
> Hi all.  I've given it my all, but I can't get my ldap authentication
> working properly on my RH 7.2 box.  I'm almost there.  If I leave my ACL
> wide open 
> 
> access to *
> by * write
> 
> things work pretty well for the most part.  I can log in, and change my
> passwords and everything stays in sync between ldap and Unix - although I
> do have to type in the password for both pam_unix and pam_ldap (I would
> guess that is what is occuring).  I think this should be avoidable, but
> playing with the try/use_first_pass doesn't seem to work. It gets even
> worse, three prompts (two from unix on from pam) if I put the pam_ldap
> module after pam_unix_passwd.  I have a feeling this is to do with the
> password encryption.  I have md5 turned on in the /etc/shadow passwords,
> and the password would not appear to be stored in the same way in
> OpenLDAP.
> 
> ** Just a note to some that might encounter the same problem as me.  By
> making the pam_ldap and pam_unix auth required, if the passwords get out
> of sync, as they very well can, you will end up with Access denied
> (through SSH anyway) or something similar**
> 
> Anyhow the real problem is the password changing does not work at all if I
> tighten up the ACL, as I must, but certainly still to where it should work
> - like below for example.
> 
>  access to *
>         by self write
>         by dn="uid=root,dc=domain,dc=com" write
>         by * read
>         by anonymous auth
> 
> With the above access I get the following Insufficient access message when
> changing passwords (you can also see the number of prompts it is giving
> me)
> 
> [greg@gateway greg]$ passwd
> Changing password for greg
> (current) UNIX password:
> Enter login(LDAP) password:
> New UNIX password:
> Retype new UNIX password:
> Enter new UNIX password:
> Retype new UNIX password:
> New password:
> Re-enter new password:
> LDAP password information update failed: Insufficient access
> passwd: Permission denied
> [greg@gateway greg]$
> 
> What does the "self" in the ACL refer to?  Who is bound in this scenario?
> The user id + the base DN in slapd.conf?  Also, If I bind with my rootdn
> at the command prompt things work fine for adding entries using ldapadd,
> but if I try to change the password for the same user I get the following.
> Very very frustrating.
> 
> [root@gateway openldap]# ldappasswd -WS -D 'cn=root,dc=domain,dc=com' -x
> greg
> New password:
> Re-enter new password:
> Enter bind password:
> Result: Invalid DN syntax (34)
> Additional info: Invalid DN
> 
> or
> 
> [root@gateway openldap]# ldappasswd -WS -D
> 'cn=root,ou=People,dc=domain,dc=com' -x greg
> New password:
> Re-enter new password:
> Enter bind password:
> ldap_bind: Invalid credentials
> 
> but as stated I can bind and add with the same root dn no problems (see
> below)
> 
> [root@gateway openldap]#  ldapadd -x -D "cn=root,dc=domain,dc=com" -W -f
> testuser.ldif
> Enter LDAP Password:
> adding new entry "uid=testuser,ou=People,dc=domain,dc=com"
> 
> [root@gateway openldap]#
>

Prev by Date: AW: Proofed slapd.conf + *.ldif example ??
Next by Date: Re: AW: Proofed slapd.conf + *.ldif example ??
Index(es):
- Chronological
- Thread