[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ldap and passwd command

To: Adam Williams <awilliam@whitemice.org>, Karl Bellve <Karl.Bellve@umassmed.edu>
Subject: Re: Ldap and passwd command
From: Damon Jebb <list@damonjebb.net>
Date: Fri, 23 Jan 2004 09:25:19 +0000
Cc: Openldap list <openldap-software@OpenLDAP.org>
Content-disposition: inline
In-reply-to: <Pine.LNX.4.44.0401211220561.15427-100000@estate1.whitemice.org>
References: <Pine.LNX.4.44.0401211220561.15427-100000@estate1.whitemice.org>
User-agent: KMail/1.5.4

On Wednesday 21 January 2004 17:22, Adam Williams wrote:
> >I have been running openldap for a while on Linux but I was wondering,
> >how do you let root use the passwd command to change the users password?
>
> This is really a PAM related question.
>
> I answer it in my LDAP presentation -
> ftp://ftp.kalamazoolinux.org/pub/pdf/ldapv3.pdf
>
> Hint: "rootbinddn" in /etc/ldap.conf

I have now had a look at the presentation and tried for a day to find where I 
am going wrong with this.  I have also tried several times to access the padl 
lists, without success, so please forgive my responding here rather than 
there.

I have what I believe to be the configuration that you presentation says it 
requires, but still cannot change a password as root without having to login 
to the ldap server first as the user.  This even applies to the root user.

I have this in my /etc/openldap/ldap.conf

host		ldap
base		dc=damonjebb,dc=net
ldap_version	3

rootbinddn 	cn=root,dc=damonjebb,dc=net
scope subhost		ldap
base		dc=damonjebb,dc=net
ldap_version	3

rootbinddn 	cn=root,dc=damonjebb,dc=net
scope sub

pam_filter		objectClass=posixaccount
pam_login_attribute	uid
pam_member_attribute	gid
pam_password 		exop

nss_base_passwd	ou=People,dc=damonjebb,dc=net?sub
nss_base_shadow	ou=People,dc=damonjebb,dc=net?one
nss_base_group	ou=Group,dc=damonjebb,dc=net?one
nss_base_hosts	ou=Hosts,dc=damonjebb,dc=net?one

pam_filter		objectClass=posixaccount
pam_login_attribute	uid
pam_member_attribute	gid
pam_password 		exop
<note - I have had this set to md5 and crypt at various times without any 
difference.  The slapd.conf has {crytpt} with a salt for md5>

nss_base_passwd	ou=People,dc=damonjebb,dc=net?sub
nss_base_shadow	ou=People,dc=damonjebb,dc=net?one
nss_base_group	ou=Group,dc=damonjebb,dc=net?one
nss_base_hosts	ou=Hosts,dc=damonjebb,dc=net?one

and a /etc/ldap.secret file with the password in it in plain text format and a 
blank line below (which I read is required).

This is my current /etc/pam.d/passwd file...

auth		required		pam_env.so
auth		sufficient		pam_unix2.so	likeauth nullok
auth		required		pam_deny.so

account		sufficient		pam_unix2.so
account		required		pam_deny.so

password	required		pam_pwcheck.so	nullok
password	required		pam_unix2.so	nullok  md5 use_first_pass use_authtok

session 	required		pam_unix2.so

This is a SuSe 9 box, and the pam_unix2.conf file specifies the use of 
pam_ldap, so it is not required (and clearly is being used as I am requird to 
log in before accesing the server).

I know that the ldap.conf file is being used during the client access to the 
ldap server because some changes to it have broken it.
I can see from the log file using debug level 128 that the bind is anonymous 
not with the dn specified in the file.  What am I doing wrong?  When I 
disallow anonymous bind in the slapd.conf nothing works properly.

Thanks for any help you might be able to offer.

Damon

Follow-Ups:
- Re: Ldap and passwd command
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- Re: Ldap and passwd command
  - From: Adam Williams <awilliam@whitemice.org>

Prev by Date: Re: Running configure?
Next by Date: 0x45 (LDAP_NO_OBJECT_CLASS_MODS) what can I do?
Index(es):
- Chronological
- Thread