I am having a problem that I am hoping the list can help with. When
using the pwdReset attribute to force a password change the user
receives the following error when trying to reset the password on
SSH login:
LDAP password information update failed: Can't contact LDAP server
passwd: Permission denied
This only occurs for clients using a slave to authenticate, and only
when changing the password on login in combination with the pwdReset
attribute. A non-forced password change works fine when a user runs
the passwd command manually on one of the slave clients. So it seems
referrals by themselves work OK. Forced password changes using the
pwdReset attr also work for clients that use the master directly, so
the issue is specific to slave-authentication+pwdReset+referral.
The debug log on the master shows that it is being reached by the
client, but slapd refused to perform the action:
slapd[1079]: conn=1 op=1 BIND
dn="uid=jschmo,ou=users,dc=example,dc=com" method=128
slapd[1079]: conn=1 op=1 RESULT tag=97 err=53 text=unauthenticated
bind (DN with no password) disallowed
The debug log on the slave shows the following error:
slapd[11339]: conn=5 op=10 MOD
dn="uid=jschmo,ou=users,dc=example,dc=com"
slapd[11339]: conn=5 op=10 MOD attr=userPassword
slapd[11339]: conn=5 op=10 RESULT tag=103 err=10 text=
I've tried searching for information on this, but to date nothing I
have found resolved the issue. One attempt involved setting an allow
statement in the master slapd.conf for "bind_anon_dn". This did
prevent the err=53, but produced another error:
Jun 19 12:21:12 admin5-ash slapd[30555]: conn=4 op=2 RESULT tag=103
err=8 text=modifications require authentication
The following applies to both master and slave servers:
OpenLDAP: openldap-2.3.39-3.rhel5 (Buchan's Packages)
OS: Centos 5.1
For the client I have tried the following configurations:
OpenLDAP: openldap-2.2.13-8 (RH Stock)
PAM_LDAP: nss_ldap-226-20 (RH Stock)
OS: RHEL4.6
OpenLDAP version: openldap-2.3.39-3.rhel5 (Buchan's Packages)
PAM_LDAP: nss_ldap-253-5.el5 (Centos Stock)
OS: Centos 5.1
If any other information is needed let me know. Thanks to all.
--AP