Re: passwd fails

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Thursday, 2 December 2010 15:26:47 Holger Schier wrote:
> Hi guys,
> 
> my ldapserver works fine now, but the first users are arriving.

Can you provide some configuration details? E.g., /etc/pam.d/passwd and any 
other pam files it includes or stacks.

> The normal user should change their own password. So, everyone thinks of
> passwd in the shell.
> 
> But:
> LDAP password information update failed: Insufficient access
> Must supply old password to be changed as well as new one
> 
> Here is my ACL:
> 
> olcAccess: {0} to
> attrs=pwdChangedTime,pwdAccountLockedTime,pwdFailureTime,pwdH
>  istory,pwdGraceUseTime,pwdReset
> by * none
> 
> olcAccess: {1}to attrs=userPassword
> by self write
> by * auth
> 
> olcAccess: {2}to attrs=shadowLastChange
> by self write
> by dn.base="cn=BINDUSER,dc=MY,dc=DC" read
> by users read
> by * auth
> 
> olcAccess: {3}to attrs=userPKCS12
> by self read
> by * none
> 
> olcAccess: {4}to *
> by dn.base="cn=BINDUSER,dc=MY,dc=DC" read
> by * none
> 
> I tried the same with
> olcAccess: {4}to *
> by * read
> 
> and allowing anonymous binds, but same error.
> passwd seems to try to bind with the binduser and then to read and to
> write the userPassword, but only has auth access.

Are you using pam_ldap with rootbinddn? pam_ldap makes some stupid assumptions 
if you use rootbinddn. rootbinddn is used for two different reasons:
-allow you to hide the password (in /etc/ldap.secret, which doesn't need to be 
world readable)
-allow the root user to change the password of LDAP users without knowing 
their LDAP password

IMHO, these should be two separate concepts. I would like to be able to secure 
to some degree the host's access to the DSA (even in environments without 
GSSAPI available), but I also don't want to give the host elevated privileges 
in the DIT ...

See function _update_authtok around line 2967 of pam_ldap.c

Regards,
Buchan