[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: root cannot change user password with command "passwd", sssd, pam, openldap



Answer: you cannot change password using passwd, as sssd doesn't
support such feature. There might be change to sss_ldap.so to prompt
for ldap admin DN and password, but ldapasswd and kpasswd are
considered sufficient tools.

For more info see this thread:
https://lists.fedoraproject.org/pipermail/users/2013-July/438605.html.

On 22 July 2013 22:08, Augustin Wolf <augustynwilk@gmail.com> wrote:
> On 22 July 2013 18:14, Michael Proto <michael.proto@tstllc.net> wrote:
>> I believe you can use the rootbinddn feature in pam_ldap.conf to allow the
> rootbinddn is set in pam_ldap.conf and sadly it doesn't work.
> I got it set to LDAP admin DN (the same as rootdn in slapd.conf). This
> user has more privilages (manage permission to all LDAP attributes)>
>
> On 22 July 2013 14:57, Cooper, Tom <TCooper@fnb.co.za> wrote:
>> Root has to use ldappasswd to change users' passwords.
> I head to integrate user database with Kerberos. I'm guessing that
> ldappaswd doesn't support Kerberos attributes. Does root have to
> change password with use of two systems: one for ldap another for
> Kerberos?
> Does root really has to do double work to change all tokens? Without
> it there might be passwords mismatch. Different password for Kerberos
> and different for LDAP.
>
>> -Michael Proto
>
>
> In my struggle with this issue, I noticed, that when I add to
> /etc/sssd/sssd.conf :
> ldap_sasl_mech = GSSAPI
> ldap_sasl_authid = root/admin
> ldap_sasl_realm = EXAMPLE.COM
> the error message is different:
> [root@ldap ~]# passwd test
> Changing password for user test.
> System is offline, password change not possible
> passwd: Authentication token manipulation error
> ==> /var/log/secure <==
> Jun 25 16:27:35 ldap passwd: pam_sss(passwd:chauthtok): Authentication
> failed for user test: 20 (Authentication token manipulation error)
>
> thx for reply guys.
>>> My configs, logs, etc are in here: http://fpaste.org/26708/