[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [pamldap] Re: Does any have LDAP password change working with "passwd"?



On Wed, 15 Aug 2001, David Wright wrote:

>
> > Is this even possible (it seems it should be)?
>
> Yes. I do, but it took some doing to get it working. First, pick a
> password scheme for OpenLDAP (in /etc/openldap/slapd.conf).  I chose
>    password-hash	{MD5}password
>
> Next, tell pam_ldap to let OpenLDAP do the password hashing (in
> /etc/ldap.conf), instead of trying to do it locally.
>    pam_password exop

Many thanks for replying.  I'm using nss_ldap-167 from Red Hat rawhide
rebuilt for RH7.1.  It includes pam_ldap-122.

User logins work with no problems.

When I run "passwd" it prompts for the current password, I type it and
press enter.

Over on the OpenLDAP server, this is what log shows.

Aug 15 10:09:50 shaka slapd[9786]: => access_allowed: auth access to
"uid=testuser,ou=People,dc=example,dc=com" "userPassword" requested
Aug 15 10:09:50 shaka slapd[9786]: => acl_get: [1] check attr userPassword
Aug 15 10:09:50 shaka slapd[9786]: <= acl_get: [1] acl
uid=testuser,ou=People,dc=example,dc=com attr: userPassword
Aug 15 10:09:50 shaka slapd[9786]: => acl_mask: access to entry
"uid=testuser,ou=People,dc=example,dc=com", attr "userPassword" requested
Aug 15 10:09:50 shaka slapd[9786]: => acl_mask: to all values by "", (=n)
Aug 15 10:09:50 shaka slapd[9786]: <= check a_dn_pat: *
Aug 15 10:09:50 shaka slapd[9786]: <= acl_mask: [1] applying read (=rscx)
(stop)
Aug 15 10:09:50 shaka slapd[9786]: <= acl_mask: [1] mask: read (=rscx)
Aug 15 10:09:50 shaka slapd[9786]: => access_allowed: auth access granted
by read (=rscx)

On the client machine, this is what /var/log/messages shows:

pam_ldap: error trying to bind as user
"uid=testuser,ou=People,dc=example,dc=com" (Invalid credentials)

Here is /etc/ldap.conf

host shaka.example.com
base dc=example,dc=com
port 636
pam_password exop
ssl start_tls
ssl yes


Any and all feedback greatly appreciated.

Dax