[Date Prev][Date Next] [Chronological] [Thread] [Top]

password change with linux and pam_ldap?

To: openldap-software@OpenLDAP.org
Subject: password change with linux and pam_ldap?
From: Greg Swallow <gswallow@captain-connected.com>
Date: Sat, 30 Mar 2002 07:03:44 -0500
Organization: Ha!
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020313

Hello,

I'm trying to get a small LDAP implementation going for educational purposes, but it seems I've run up against a brick wall.

After checking the list archives, looking for any meaningful documentation on the openLDAP site (there isn't any -- it seems that the authors are perfectly content with simply authenticating via LDAP), and pulling my hair out I've given up -- does anyone have a HOWTO or any documentation on how one sets up PAM so that passwd can change a user's password, or chfn can change a user's finger information?

Here's what I can do:

1. run ldapsearch:

ldapsearch -h 192.168.1.10 -b "dc=netgawds,dc=com" "(&(objectClass=posixAccount)(uid=gswallow))"

version: 2

#
# filter: (&(objectClass=posixAccount)(uid=gswallow))
# requesting: ALL
#

# gswallow, People, netgawds, com
dn: uid=gswallow,ou=People,dc=netgawds,dc=com
uid: gswallow
cn: Greg Swallow
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 11652
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/tcsh
uidNumber: 500
gidNumber: 100
homeDirectory: /home/gswallow
gecos: Greg Swallow
userPassword:: crypted string

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


2. run ldappasswd:

ldappasswd -h 192.168.1.10 -x -D uid=gswallow,ou=People,dc=netgawds,dc=com -W -d 256 -S uid=gswallow,ou=People,dc=netgawds,dc=com

slapd logs:

daemon: conn=51 fd=7 connection from IP=192.168.1.2:36799 (IP=0.0.0.0:0) accepted. conn=51 op=0 BIND dn="UID=GSWALLOW,OU=PEOPLE,DC=NETGAWDS,DC=COM" method=128 ber_flush: 14 bytes to sd 7 conn=51 op=0 RESULT tag=97 err=0 text= ber_flush: 14 bytes to sd 7 conn=51 op=2 UNBIND conn=-1 fd=7 closed

And here's what I can't do:

passwd

Enter login(LDAP) password:
passwd: Authentication information cannot be recovered

and the slapd logs for this transaction:

daemon: conn=1 fd=7 connection from IP=192.168.1.2:36804 (IP=0.0.0.0:0) accepted. conn=1 op=0 BIND dn="" method=128 ber_flush: 14 bytes to sd 7 conn=1 op=0 RESULT tag=97 err=0 text= conn=1 op=1 SRCH base="dc=netgawds,dc=com" scope=2 filter="(&(objectClass=posixAccount)(uidNumber=500))" ber_flush: 335 bytes to sd 7 ber_flush: 14 bytes to sd 7 conn=1 op=1 SEARCH RESULT tag=101 err=0 text= conn=1 op=2 SRCH base="dc=netgawds,dc=com" scope=2 filter="(&(objectClass=posixAccount)(uid=gswallow))" ber_flush: 335 bytes to sd 7 ber_flush: 14 bytes to sd 7 conn=1 op=2 SEARCH RESULT tag=101 err=0 text= daemon: conn=2 fd=12 connection from IP=192.168.1.2:36805 (IP=0.0.0.0:0) accepted. conn=2 op=0 BIND dn="" method=128 ber_flush: 14 bytes to sd 12 conn=2 op=0 RESULT tag=97 err=0 text= conn=2 op=1 SRCH base="dc=netgawds,dc=com" scope=2 filter="(&(objectClass=posixAccount)(uid=gswallow))" ber_flush: 408 bytes to sd 12 ber_flush: 14 bytes to sd 12 conn=2 op=1 SEARCH RESULT tag=101 err=0 text= conn=2 op=2 BIND dn="UID=GSWALLOW,OU=PEOPLE,DC=NETGAWDS,DC=COM" method=128 ber_flush: 14 bytes to sd 12 conn=2 op=2 RESULT tag=97 err=0 text= conn=2 op=3 BIND dn="" method=128 ber_flush: 14 bytes to sd 12 conn=2 op=3 RESULT tag=97 err=0 text= conn=-1 fd=7 closed conn=2 op=4 UNBIND conn=-1 fd=12 closed

Other details: client = pam-0.75, ldap_pam 140, nss_ldap 185, openldap libs from 2.0.23.

pam.conf:

passwd  auth       sufficient pam_ldap.so
passwd  auth       required   pam_unix.so shadow md5 use_first_pass
passwd  account    sufficient pam_ldap.so use_authtok
passwd  account    sufficient pam_unix.so shadow md5
passwd  password   sufficient pam_ldap.so use_authtok
passwd  password   sufficient pam_unix.so shadow md5

server = openldap 2.0.23 (solaris 2.6), ldbm backend

slapd.conf (ACL's):

access to *
        by * write

And yes, I *know* this is insecure. With only two users to support behind a firewall, though, I can live with it until I figure out what the hell is going on.

Anyway, if anyone has gotten this to work, *please* give me a couple hints. I've got a few more gray hairs now that I started dealing with this.

Also, where is *any* documentation on what tags and error codes mean? Haven't found any so far and I'm rather unimpressed with the available documentation.

Once again, thanks in advance!

Prev by Date: How to make Netscape client trust my certificate?
Next by Date: Re: Schema for TACACS
Index(es):
- Chronological
- Thread