All,
Regarding the two questions in my prior e-mail, I received answers from Jawed and Andreas (thank you!).
I've been trying some of the suggestions and have had the following results:
1) Changes to ldap.conf file, etc.:
My environment is RedHat 8.0 with BDB. I created the account on the server with useradd; then migrated it to LADP with the padl script; and finally deleted it from the server with userdel. On the clients I just created the home directory. There are no entries for the account on any /etc/passwd or /etc/shadow files on either the client or server machines. The LDAP-only record looks like this:
uid: dduck
cn: Donald Duck
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: e2NyeXB0fSQxJEwveGxsMjN5JDV2S2pmMnhVdXZucGhCSVBBTlU2dC8=
shadowLastChange: 12227
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 55555
gidNumber: 1000
homeDirectory: /home/dduck
gecos: Donald Duck
Again, for the LDAP-only user dduck, I can login or su to the account OK but can't change the password while logged in as the user or as root. When I try to change the password, I get the following responses (as dduck and as root):
login as: dduck
Sent username "dduck"
dduck@10.48.245.217's password:
[dduck@anadts42 dduck]$
[dduck@anadts42 dduck]$ passwd
Changing password for user dduck.
Enter login(LDAP) password:
LDAP Password incorrect: try again
Enter login(LDAP) password:
Ctl-C
[dduck@anadts42 dduck]$
[dduck@anadts42 dduck]$ su -
Password:
[root@anadts42 root]# passwd dduck
Changing password for user dduck.
Enter login(LDAP) password:
LDAP Password incorrect: try again
Enter login(LDAP) password:
When I try to change root's password, no problemo:
[root@anadts42 root]# passwd root
Changing password for user root.
New password:
The passwd-hash parameter in my slapd.conf file takes the default of SSHA. I have also set the parameter explicitly to {SSHA} with no effect.
In the ldap.conf file I have tried setting the pam_password parameter to clear and exop with no effect. I notice in the LDAP System Administration book that this parameter defines methods for changing passwords so that this is probably not related to client hashing.
What else should I be looking at?
2) ACL question:
The suggestion to grant read access was correect. However, the order seems to be important:
This works (although it is not recommended on page 57 of the O'Reilly LDAP book).
# Simple ACL granting read access to the world
access to *
by * read
# Restrict userPassword to be used for authentication only, but allow users
# to modify their own passwords.
access to attrs=userPassword
by self write
by * auth
login as: dduck
Sent username "dduck"
dduck@10.48.245.217's password:
[dduck@anadts42 dduck]$ id
uid=55555(dduck) gid=1000(webadmins) groups=1000(webadmins),80(desktop),48(apache)
[dduck@anadts42 dduck]$
This doesn't work (although it is recommended on page 58 of the O'Reilly LDAP book).
# Restrict userPassword to be used for authentication only, but allow users
# to modify their own passwords.
access to attrs=userPassword
by self write
by * auth
# Simple ACL granting read access to the world.
access to *
by * read
login as: dduck
Sent username "dduck"
dduck@10.48.245.217's password:
Access denied
dduck@10.48.245.217's password:
Obviously, I'm an LDAP newbie. Any ideas or suggestions will be greatly appreciated.
Thanx,
Joe (still confused in Anaheim) Jadick
-----Original Message-----
From: Jadick, Joe
Sent: Wednesday, July 30, 2003 1:57 PM
To: openldap-software@OpenLDAP.org
Subject: More password questions
I have been working with LDAP in a Linux environment with one LDAP server/client machine and two LDAP client machines.
I have a user defined only in the LDAP data base and can authenticate from all three client environments. Also, su and getent passwd work correctly as does id while I'm logged on as the user.
What I can't do is change the user's password (either as root or as the user).
I've tried two things, both individually and together:
1) Add the following entry to the client ldap.conf file:
pam_password exop
2) Add the following entry to the server slapd.conf:
# Restrict userPassword to be for authentication only, but allow users to modify
# their own passwords.
access to attrs=userPassword
by self write
by * auth
Neither change helps. The second change is actually disruptive and I can no longer login or su to the LDAP account while in that mode.
I must be missing something really basic but can't figure out what.
Confused in Anaheim....
**********************************************************************
This message contains confidential information intended only for the use of the addressee(s)
named above and may contain information that is legally privileged. If you are not the
addressee, or the person
responsible for delivering it to the addressee, you are hereby
notified that
reading, disseminating, distributing or copying this message is strictly
prohibited.
If you have received this message by mistake, please immediately notify us by replying to the
message and delete the original message immediately thereafter.
Thank
you.
FADLD Tag
**********************************************************************