[Date Prev][Date Next] [Chronological] [Thread] [Top]

PAM EXOP causes chain bind password to change

To: <openldap-technical@openldap.org>
Subject: PAM EXOP causes chain bind password to change
From: Joe Friedeggs <friedeggs44@hotmail.com>
Date: Tue, 1 Dec 2009 11:53:30 -0600
Importance: Normal


I am having an issue with my 'chain' bind password getting changed instead of the user's password.

In a Red Hat Linux environment, running OpenLDAP 2.3.43(-3.el5 RPM from RH), I am using a master-slave setup, with chaining (as opposed to referral) as a method to allow users to change passwords (most LDAP clients hit the slave). Because I have some other issues when I set (nss_ldap) 'pam_password md5'in ldap.conf, I tried setting it to 'pam_password exop' instead.  But, with this setting, when a user attempts a password change from one of the Linux clients, the ldap chain BIND password is changed on the master, instead of the user's password.

In my slave slapd.conf, I have:

####################################################################
# Chain to Master for updates
overlay                 chain
   chain-uri               "ldap://10.10.1.191";
   chain-idassert-bind bindmethod="simple"
   binddn="cn=ldapChain,o=myorg,dc=myco,dc=net"
   credentials="ldapChain"
   mode="none"
   #                       mode="self"
   chain-max-depth         2
   chain-return-error      TRUE
   chain-rebind-as-user    TRUE

#######################################################################
# To sync with the LDAP Master database using syncrepl
syncrepl        rid=222
                   type=refreshAndPersist
                   provider=ldap://10.10.1.191
                   retry="30 10 300 3"
                   searchbase="dc=myco,dc=net"
                   filter="(objectClass=*)"
                   scope=sub
                   schemachecking=off
                   bindmethod=simple
                   binddn="cn=syncRepl,o=myorg,dc=myco,dc=net"
                   credentials="syncRepl"

updateref       ldap://10.10.1.191
####################################################################


SO, for example, when some user, say 'userbob' issues a 'passwd' and attempts to change his password from a Linux LDAP client (configured to hit the slave LDAP server), the password for "cn=ldapChain,o=myorg,dc=myco,dc=net" instead gets changed.  The users password does not get changed.

Anyone know what I could possibly have mis-configured that would cause this?

Thanks in advance,
Joe







 		 	   		  
_________________________________________________________________
Chat with Messenger straight from your Hotmail inbox.
http://www.microsoft.com/windows/windowslive/hotmail_bl1/hotmail_bl1.aspx?ocid=PID23879::T:WLMTAGL:ON:WL:en-ww:WM_IMHM_4:092009

Next by Date: Re: ObjectClass for BDB databases
Index(es):
- Chronological
- Thread