[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [pamldap] Re: Does any have LDAP password change working with "passwd"?

To: Dax Kelson <dax@gurulabs.com>
Subject: Re: [pamldap] Re: Does any have LDAP password change working with "passwd"?
From: "Andrew C. Altepeter" <aaltepet@cs.und.edu>
Date: Wed, 15 Aug 2001 14:09:41 +0600 (GMT-6)
Cc: David Wright <ichbin@heidegger.rprc.washington.edu>, "pamldap@padl.com" <pamldap@padl.com>, "openLDAP-software@OpenLDAP.org" <openLDAP-software@OpenLDAP.org>
In-reply-to: <Pine.LNX.4.33.0108151058010.3764-100000@mooru.gurulabs.com>

Looks to me like slapd is allowing you only auth access to the
userPassword attribute.  You  might want to look over your acl's again to
make and have your userPassword acl look something like this

access to attr=userPassword
	by dn="cn=manager...." write
	by self write
	by anonymous auth
	by * none

Hope that helps,
Andy

On Wed, 15 Aug 2001, Dax Kelson wrote:

> On Wed, 15 Aug 2001, David Wright wrote:
>
> >
> > > Is this even possible (it seems it should be)?
> >
> > Yes. I do, but it took some doing to get it working. First, pick a
> > password scheme for OpenLDAP (in /etc/openldap/slapd.conf).  I chose
> >    password-hash	{MD5}password
> >
> > Next, tell pam_ldap to let OpenLDAP do the password hashing (in
> > /etc/ldap.conf), instead of trying to do it locally.
> >    pam_password exop
>
> Many thanks for replying.  I'm using nss_ldap-167 from Red Hat rawhide
> rebuilt for RH7.1.  It includes pam_ldap-122.
>
> User logins work with no problems.
>
> When I run "passwd" it prompts for the current password, I type it and
> press enter.
>
> Over on the OpenLDAP server, this is what log shows.
>
> Aug 15 10:09:50 shaka slapd[9786]: => access_allowed: auth access to
> "uid=testuser,ou=People,dc=example,dc=com" "userPassword" requested
> Aug 15 10:09:50 shaka slapd[9786]: => acl_get: [1] check attr userPassword
> Aug 15 10:09:50 shaka slapd[9786]: <= acl_get: [1] acl
> uid=testuser,ou=People,dc=example,dc=com attr: userPassword
> Aug 15 10:09:50 shaka slapd[9786]: => acl_mask: access to entry
> "uid=testuser,ou=People,dc=example,dc=com", attr "userPassword" requested
> Aug 15 10:09:50 shaka slapd[9786]: => acl_mask: to all values by "", (=n)
> Aug 15 10:09:50 shaka slapd[9786]: <= check a_dn_pat: *
> Aug 15 10:09:50 shaka slapd[9786]: <= acl_mask: [1] applying read (=rscx)
> (stop)
> Aug 15 10:09:50 shaka slapd[9786]: <= acl_mask: [1] mask: read (=rscx)
> Aug 15 10:09:50 shaka slapd[9786]: => access_allowed: auth access granted
> by read (=rscx)
>
> On the client machine, this is what /var/log/messages shows:
>
> pam_ldap: error trying to bind as user
> "uid=testuser,ou=People,dc=example,dc=com" (Invalid credentials)
>
> Here is /etc/ldap.conf
>
> host shaka.example.com
> base dc=example,dc=com
> port 636
> pam_password exop
> ssl start_tls
> ssl yes
>
>
> Any and all feedback greatly appreciated.
>
> Dax
>

References:
- Re: [pamldap] Re: Does any have LDAP password change working with "passwd"?
  - From: Dax Kelson <dax@gurulabs.com>

Prev by Date: Re: [pamldap] Re: Does any have LDAP password change working with "passwd"?
Next by Date: Re: Does any have LDAP password change working with "passwd"?
Index(es):
- Chronological
- Thread