[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problem changing LDAP passwords with "passwd"



Users can login with NO problems.  Changing the passwords is the problem.

Running passwd gives:

Enter login(LDAP) password: [password entered]
LDAP Password incorrect: try again  (this comes back very quickly)
Enter login(LDAP) password: [password entered]
(etc, etc)

The the machine where the user is trying to change the password,
/var/log/message shows:

passwd[14697]: pam_ldap: error trying to bind as user
"uid=testuser,ou=People,dc=example,dc=com" (Invalid credentials)

Configuration follows:

I've setup an OpenLDAP 2.0.11 server, here are the access control lines
(taken from the Administrator's Guide).  I imported everything using the
PADL migration scripts.

access to * by * read
access to attr=userPassword
        by self write
        by anonymous auth
        by * none
access to *
        by self write
        by users read
access to * by users read


=== On the clients /etc/ldap.conf
host server1.example.com server2.example.com
base dc=example,dc=com
port 636
ssl start_tls
ssl yes

# cat /etc/pam.d/passwd
#%PAM-1.0
auth       required     /lib/security/pam_stack.so service=system-auth
account    required     /lib/security/pam_stack.so service=system-auth
password   required     /lib/security/pam_stack.so service=system-auth

# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_ldap.so use_first_pass
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so
account     [default=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so

password    required      /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/pam_ldap.so use_authtok
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_ldap.so