[Date Prev][Date Next] [Chronological] [Thread] [Top]
passwd not working with OpenLDAP / PAM

To: openldap-software@OpenLDAP.org
Subject: passwd not working with OpenLDAP / PAM
From: Matthias Eichler <mylists@ame.de>
Date: 22 Nov 2002 11:50:44 +0100
Organization: AME Aigner Media & Entertainment
Dear List,

first, I know that there is a special pam_ldap-mailinglist, but
unfortunately my posting there was not so succesful, so maybe here
somebody knows what to do.

Thanks

I've got a fresh LDAP / SAMBA / PAM setup running here on:
Debian 3 (x68) with:
        - openldap-2.1.8
        - libpam 0.72-35
        - libpam-ldap 140-1
        - libpam-smbpass 2.2.3a-6
        - libnss-ldap 186-1

What works:
        - I can login with LDAP users
        - I can login with non-LDAP (local) users

The problems are:
        1) I can not passwd local users at all:
        ---
        passwd: User not known to the underlying authentication module
        ---

        2) I can not passwd LDAP users, the LDAP password
           seems to be incorrect, although I could login with
           it:
        ---
        [test.user@testserver test.user]$passwd
        Enter login(LDAP) password:
        LDAP Password incorrect: try again
        Enter login(LDAP) password:
        LDAP Password incorrect: try again
        Enter login(LDAP) password:
        LDAP Password incorrect: try again
        passwd: Have exhasted maximum number of retries for service.
        ---

        3) User "root" can passwd other users with success.

My files look like:

* /etc/nsswitch.conf:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         files ldap
shadow:         files ldap
group:          files ldap
hosts:          files dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis


* /etc/ldap/slapd.conf:
### Schemadaten laden ###

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/samba.schema
#include        /etc/ldap/schema/qmail.schema


### SSL-Zertifikat laden ###

TLSCertificateFile      /etc/ldap/server.pem
TLSCertificateKeyFile   /etc/ldap/server.pem
TLSCACertificateFile    /etc/ldap/server.pem


### Definition der LDAP-Datenbank ###

database        bdb
suffix          "dc=ame,dc=loc"
directory       /var/ldap

### Defintion des LDAP-Superusers ###

rootdn  "cn=service,dc=ame,dc=loc"
rootpw  password


# Indices to maintain
index   objectClass     eq


### Definition der ACLs ###

# User darf eigene Attribute <E4>ndern,
# alle andere sehen nichts
access to attr=loginShell
       by dn="uid=service,dc=ame,dc=loc" write
       by self write
       by * none


# User darf eigene Attribute ändern,
# authentifizierte User lesen
# alle andere sehen nichts
access to
attr=telephoneNumber,seeAlso,description,audio,businessCategory,carLicense,displayName,homePhone,homePostalAddress,jpegPhoto,labeledURI,mo
bile,pager,photo,homeTelephoneNumber,favouriteDrink
       by dn="uid=service,dc=ame,dc=loc" write
       by self write

# User darf eigene Attribute ändern,
# alle andere k<F6>nnen lesen
access to
attr=dc,o,ou,uid,cn,givenName,sn,gecos,initials,title,photo,mail
       by dn="uid=service,dc=ame,dc=loc" write
       by self write
       by * read

#
# User darf eigene Passwörter ändern.
# anonymous auth macht nur für userPasswort Sinn,
# st<F6>rt sonst aber nicht.
# Der Samba Server muss hier schreibrecht haben!
access to attr=userPassword,lmPassword,ntPassword
       by dn="uid=service,dc=ame,dc=loc" write
       by self write
       by anonymous auth
       by * none

#
# User darf eigene Attribute lesen,
# alle andere sehen nichts
#access to attr=accountStatus,mailQuota,registeredAddress
#       by dn="uid=service,dc=ame,dc=loc" write
#       by self read
#       by * none

access to attr=registeredAddress
       by dn="uid=service,dc=ame,dc=loc" write
       by self read
       by * none

#
# Grundregel, damit annonyme User das Verzeichnis
# durchsuchen können
access to attr=entry,objectClass
       by dn="uid=service,dc=ame,dc=loc" write
       by * read

#
# Default Policy: wenn keine der oben angelegten
# Regeln zieht, dürfen authentifizierte User lesen
# und alle anderen sehen nichts.
access to *
        by dn="uid=service,dc=ame,dc=loc" write
        by users read
        by * none


* /etc/pam.d/passwd:
  The smbpass.so line is for later stacking of both mechanisms,
  so Linux-passwd also changes the "ntpassword" and 
  "lmpassword"-attributes of the user, for password consitency
  between SMB and Linux.
---
#%PAM-1.0
auth     sufficient     pam_ldap.so
auth     required       pam_unix.so     nullok use_first_pass
account  sufficient     pam_ldap.so
account  required       pam_unix.so
password required       pam_pwcheck.so  nullok
password required       pam_ldap.so     use_first_pass use_authtok
#password sufficient     pam_smbpass.so  audit use_first_pass
password required       pam_unix.so     nullok use_first_pass \
use_authtok min=4 max=15 obscure
session  required       pam_unix.so
---

* /etc/pam.d/login:
---
auth            required        pam_securetty.so
auth            required        pam_nologin.so
auth            sufficient      pam_smbpass.so  try_first_pass audit
auth            required        pam_unix.so
account         sufficient      pam_ldap.so
account         required        pam_unix.so
password        required        pam_pwcheck.so
password        required        pam_smbpass.so  debug use_first_pass \
use_authok
password        required        pam_unix.so     nullok use_first_pass \
use_authtok
session         required        pam_unix.so     none # debug or trace
session         required        pam_limits.so
session         required        pam_env.so
session         optional        pam_mail.so
---

* /etc/ldap.conf
 The rootbind-pw lies in /etc/ldap.secret, with 600.
---
BASE    dc=ame,dc=loc
URI     ldap://10.1.1.50

BINDDN  ou=nss,dc=ame,dc=loc
BINDPW  password
ROOTBINDDN      ou=service,dc=ame,dc=loc
---

My logfiles say at passwd of a ldap user:
* LDAP-Log:
---
Nov 20 11:50:17 testserver slapd[1079]: daemon: conn=21 fd=16 connection
from IP=127.0.0.1:33014 (IP=0.0.0.0:389) accepted.
Nov 20 11:50:17 testserver slapd[1082]: conn=21 op=0 BIND
dn="cn=service,dc=ame,dc=loc" method=128
Nov 20 11:50:17 testserver slapd[1082]: conn=21 op=0 RESULT tag=97 err=0
text=
Nov 20 11:50:17 testserver slapd[1084]: conn=21 op=1 SRCH
base="dc=ame,dc=loc" scope=2 filter="(uid=test.user)"
Nov 20 11:50:17 testserver slapd[1084]: <= bdb_equality_candidates:
index_param failed (18)
Nov 20 11:50:17 testserver slapd[1084]: conn=21 op=1 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Nov 20 11:50:20 testserver slapd[1083]: conn=21 op=2 BIND
dn="uid=test.user,ou=Muenchen,dc=ame,dc=loc" method=128
Nov 20 11:50:20 testserver slapd[1083]: conn=21 op=2 RESULT tag=97
err=50 text=
Nov 20 11:50:20 testserver slapd[1082]: conn=21 op=3 BIND
dn="cn=service,dc=ame,dc=loc" method=128
Nov 20 11:50:20 testserver slapd[1082]: conn=21 op=3 RESULT tag=97 err=0
text=
Nov 20 11:50:23 testserver slapd[1084]: conn=21 op=4 BIND
dn="uid=test.user,ou=Muenchen,dc=ame,dc=loc" method=128
Nov 20 11:50:23 testserver slapd[1084]: conn=21 op=4 RESULT tag=97
err=50 text=
Nov 20 11:50:23 testserver slapd[1083]: conn=21 op=5 BIND
dn="cn=service,dc=ame,dc=loc" method=128
Nov 20 11:50:23 testserver slapd[1083]: conn=21 op=5 RESULT tag=97 err=0
text=
Nov 20 11:50:25 testserver slapd[1082]: conn=21 op=6 BIND
dn="uid=test.user,ou=Muenchen,dc=ame,dc=loc" method=128
Nov 20 11:50:25 testserver slapd[1082]: conn=21 op=6 RESULT tag=97
err=50 text=
Nov 20 11:50:25 testserver slapd[1084]: conn=21 op=7 BIND
dn="cn=service,dc=ame,dc=loc" method=128
Nov 20 11:50:25 testserver slapd[1084]: conn=21 op=7 RESULT tag=97 err=0
text=
Nov 20 11:50:25 testserver slapd[1079]: daemon: conn=22 fd=17 connection
from IP=127.0.0.1:33015 (IP=0.0.0.0:389) accepted.
Nov 20 11:50:25 testserver slapd[1083]: conn=22 op=0 BIND
dn="cn=service,dc=ame,dc=loc" method=128
Nov 20 11:50:25 testserver slapd[1083]: conn=22 op=0 RESULT tag=97 err=0
text=
Nov 20 11:50:25 testserver slapd[1082]: conn=22 op=1 SRCH
base="dc=ame,dc=loc" scope=2
filter="(&(objectClass=shadowAccount)(uid=test.user))"
Nov 20 11:50:25 testserver slapd[1082]: <= bdb_equality_candidates:
index_param failed (18)
Nov 20 11:50:25 testserver slapd[1082]: conn=22 op=1 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Nov 20 11:50:25 testserver slapd[1084]: conn=21 op=8 UNBIND
Nov 20 11:50:25 testserver slapd[1084]: conn=21 fd=16 closed
Nov 20 11:50:25 testserver slapd[1079]: conn=22 fd=17 closed
---

* AUTH.LOG
---
Nov 20 11:50:20 testserver passwd[1116]: pam_ldap: error trying to bind
as user "uid=test.user,ou=Muenchen,dc=ame,dc=loc" (Insufficient access)
Nov 20 11:50:25 testserver last message repeated 2 times
Nov 20 11:50:25 testserver PAM_unix[1116]: password - (old) token not
obtained
---

Thank you very much in advance for your help, this is really the last
topic to make this server ready and I struggle here very badly...:-/

Matthias

-- 
Matthias Eichler <mylists@ame.de>
AME Aigner Media & Entertainment
Follow-Ups:
- Re: passwd not working with OpenLDAP / PAM
  - From: Jörg Schulz <jschulz@sgbs.de>
- Re: passwd not working with OpenLDAP / PAM
  - From: Tony Earnshaw <tonni@billy.demon.nl>
- Re: passwd not working with OpenLDAP / PAM
  - From: dan Am <ldap@lonx.net>
Prev by Date: dynamic group
Next by Date: Windows NT DOMAIN backend
Index(es):
- Chronological
- Thread