[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Changing passwords in Active Directory



Well,

In looking deeper, it appears that my problem may have something to do
with permissions on the AD side. The passwd command is logging the
following in /var/log/messages:

pam_ldap: ldap_modify_s Insufficient access

It's strange, but regular queries across via ldapsearch work fine across
port 636. But when trying to do so without anonymous authentication
comes up with the following:

ldapsearch -Hldaps://corpdc02.corp.promisant.com -b sub
"sAMAccountName=gadams" -d1

ldap_interactive_sasl_bind_s: server supports: GSSAPI GSS-SPNEGO
ldap_int_sasl_bind: GSSAPI GSS-SPNEGO
ldap_perror
ldap_sasl_interactive_bind_s: Unknown authentication method

Could this be coming if Kerberos isn't compiled into the various LDAP
components?

The crazy part is that Kerberos is working fine. Even better than fine
considering I haven't created a system account on the AD KDC. I can
kinit and kpasswd just fine. I'd like to be able to use the regular
passwd command though.

Regards,

--- Gavin

> -----Original Message-----
> From: Adams, Gavin
> Sent: Tuesday, June 11, 2002 11:56 AM
> To: openldap-software@OpenLDAP.org
> Subject: Changing passwords in Active Directory
> 
> Good day,
> 
> I'm in the process of integrating a RedHat 7.2 system into our
corporate
> Active Directory (AD) to reduce the management of user accounts, etc.
> I've followed the steps to incorporate the schema bits, have enabled
> anonymous searches, verified in talking SSL to the domain controller
on
> port 636, and am able to login to the RedHat system and enumerate the
> uid and gid's. So far, so good.
> 
> Now I'm trying to get the passwd command to update the users password
in
> AD. It takes the old password and new password, but returns the
> following:
> 
> bash-2.05$ passwd
> Enter login(LDAP) password:
> New password:
> Retype new password:
> LDAP password information update failed: Unknown error
> 00000005: SecErr: DSID-03190C3D, problem 4003 (INSUFF_ACCESS_RIGHTS),
> data 0
> 
> passwd: Permission denied
> 
> I assume this might have something to do with SSL/TLS, but my
experience
> with OpenLDAP is limited.
> 
> Any thoughts on how to troubleshoot the password changing stuff????
> 
> Here's my /etc/ldap.conf file:
> 
> # @(#)$Id: ldap.conf,v 1.24 2001/09/20 14:12:26 lukeh Exp $
> 
> host corpdc02.corp.promisant.com corpdc01.corp.promisant.com
> 
> base dc=corp,dc=promisant,dc=com
> 
> ldap_version 3
> port 636
> 
> pam_password ad
> # RFC2307bis naming contexts
> nss_base_passwd         dc=corp,dc=promisant,dc=com?sub
> nss_base_shadow         dc=corp,dc=promisant,dc=com?sub
> nss_base_group          dc=corp,dc=promisant,dc=com?sub
> # configure --enable-mssfu-schema is no longer supported.
> # For MSSFU now do:
> nss_map_objectclass posixAccount User
> #nss_map_objectclass shadowAccount User
> nss_map_attribute uid sAMAccountName
> nss_map_attribute uniqueMember Member
> nss_map_attribute cn sAMAccountName
> #nss_map_attribute userPassword msSFUPassword
> nss_map_attribute userPassword msSFUPassword
> nss_map_attribute homeDirectory msSFUHomeDirectory
> nss_map_objectclass posixGroup Group
> #pam_login_attribute msSFUName
> pam_login_attribute sAMAccountName
> pam_filter objectclass=user
> 
> # OpenLDAP SSL mechanism
> # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
> ssl start_tls
> ssl on
> 
> 
> --- Gavin Adams
> Promisant (USA) Inc.
> O: +1.404.262.7321 M: +1.404.213.5539