[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Replication and user password change



updateref               ldap://ldapmaster.symas.com

http://www.openldap.org/doc/admin24/replication.html#Replication%20Technology

suomi

On 04/04/2012 04:13 PM, Jacques Foucry wrote:
Hello the list,

I'm new here, new at OpenLDAP and I have an issue.

I've search for many time now an explanation but I saw nothing.

Here is my problem.

I ran a OpenLDAP server on a Debian VM

# slapd -V
@(#) $OpenLDAP: slapd 2.4.11 (Jul 23 2010 21:37:26) $

@barber:/build/buildd-openldap_2.4.11-1+lenny2-amd64-WJ2jlD/openldap-2.4.11/debian/build/servers/slapd

I have many direct client (desktop computer who query the ldap server)
and everything work well.

I made this ACL on slapd.conf to allow users to change there password:

access to attrs=userPassword,shadowLastChange
         by self write
         by dn="cn=syncuser,dc=example,dc=com" read
         by anonymous auth
         by * none

access to *
         by self write
         by * read

And it works fine.

These are the only ACL I have.


I also have 2 replications of this LDAP Server.

syncrepl rid=002
         provider=ldaps://ldap.example.com
         type=refreshOnly
         interval=00:01:00:00
         retry="60 10 300 +"
         filter="(objectClass=*)"
         scope=sub
         attrs="*"
         bindmethod=simple
         schemachecking=off
         searchbase="dc=example,dc=com"
         binddn="cn=syncuser,dc=example,dc=com"
         credentials=youdonthavetoknow
         tls_reqcert=never

The replications work well to and user can connect to those replication
computer (I don't have client of those replication).

But the trouble is when a user, connected to these replication try to
change his password:

% passwd
Enter login(LDAP) password:
New password:
Re-enter new password:
LDAP password information update failed: Strong(er) authentication required
modifications require authentication
passwd: Permission denied
passwd: password unchanged


In the /var/log/auth.log file I found:

Apr  4 16:10:45 ovhstorage sshd[22056]: pam_unix(sshd:account): password
for user test will expire in 4 days
Apr  4 16:10:45 ovhstorage sshd[22056]: Accepted publickey for test from
88.162.182.86 port 49955 ssh2
Apr  4 16:10:45 ovhstorage sshd[22056]: pam_unix(sshd:session): session
opened for user test by (uid=0)
Apr  4 16:10:48 ovhstorage passwd[22064]: pam_unix(passwd:chauthtok):
user "test" does not exist in /etc/passwd
Apr  4 16:10:55 ovhstorage passwd[22064]: pam_unix(passwd:chauthtok):
user "test" does not exist in /etc/passwd

I know that modification must be done on the master server,but how can I
send modifications to the master. Did I have to use "referrals"?

Thanks in advance for giving the correct pointers.

Best regards
Jacques Foucry