[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Ldap and passwd command
On Wednesday 21 January 2004 17:22, Adam Williams wrote:
> >I have been running openldap for a while on Linux but I was wondering,
> >how do you let root use the passwd command to change the users password?
>
> This is really a PAM related question.
>
> I answer it in my LDAP presentation -
> ftp://ftp.kalamazoolinux.org/pub/pdf/ldapv3.pdf
>
> Hint: "rootbinddn" in /etc/ldap.conf
I have now had a look at the presentation and tried for a day to find where I
am going wrong with this. I have also tried several times to access the padl
lists, without success, so please forgive my responding here rather than
there.
I have what I believe to be the configuration that you presentation says it
requires, but still cannot change a password as root without having to login
to the ldap server first as the user. This even applies to the root user.
I have this in my /etc/openldap/ldap.conf
host ldap
base dc=damonjebb,dc=net
ldap_version 3
rootbinddn cn=root,dc=damonjebb,dc=net
scope subhost ldap
base dc=damonjebb,dc=net
ldap_version 3
rootbinddn cn=root,dc=damonjebb,dc=net
scope sub
pam_filter objectClass=posixaccount
pam_login_attribute uid
pam_member_attribute gid
pam_password exop
nss_base_passwd ou=People,dc=damonjebb,dc=net?sub
nss_base_shadow ou=People,dc=damonjebb,dc=net?one
nss_base_group ou=Group,dc=damonjebb,dc=net?one
nss_base_hosts ou=Hosts,dc=damonjebb,dc=net?one
pam_filter objectClass=posixaccount
pam_login_attribute uid
pam_member_attribute gid
pam_password exop
<note - I have had this set to md5 and crypt at various times without any
difference. The slapd.conf has {crytpt} with a salt for md5>
nss_base_passwd ou=People,dc=damonjebb,dc=net?sub
nss_base_shadow ou=People,dc=damonjebb,dc=net?one
nss_base_group ou=Group,dc=damonjebb,dc=net?one
nss_base_hosts ou=Hosts,dc=damonjebb,dc=net?one
and a /etc/ldap.secret file with the password in it in plain text format and a
blank line below (which I read is required).
This is my current /etc/pam.d/passwd file...
auth required pam_env.so
auth sufficient pam_unix2.so likeauth nullok
auth required pam_deny.so
account sufficient pam_unix2.so
account required pam_deny.so
password required pam_pwcheck.so nullok
password required pam_unix2.so nullok md5 use_first_pass use_authtok
session required pam_unix2.so
This is a SuSe 9 box, and the pam_unix2.conf file specifies the use of
pam_ldap, so it is not required (and clearly is being used as I am requird to
log in before accesing the server).
I know that the ldap.conf file is being used during the client access to the
ldap server because some changes to it have broken it.
I can see from the log file using debug level 128 that the bind is anonymous
not with the dn specified in the file. What am I doing wrong? When I
disallow anonymous bind in the slapd.conf nothing works properly.
Thanks for any help you might be able to offer.
Damon