[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP & PAM Config for passwd.


I have looked in older posts, but the solutions didn't solve my problem.

I am trying to set up my server so I can have users in LDAP, and use PAM to get information from there for passwd and vsftpd.  I have added a user to the 
LDAP, and altered /etc/ldap.conf, /etc/pam.d/passwd, /etc/pam.d/vsftpd

I am however unable to do a passwd as root for a user who has forgotten their 
password.  Here is what happens :

whale:~ # passwd greenacres
Changing password for greenacres.
Enter login(LDAP) password:
LDAP Password incorrect: try again
Enter login(LDAP) password:
LDAP Password incorrect: try again
Enter login(LDAP) password:
LDAP Password incorrect: try again
New password:
Re-enter new password:
You can only change local passwords.
passwd: Authentication information cannot be recovered

And the password doesn't change.

Should I be entering the root password for the user on the server or the 
password for root in LDAP, either way - it does the same.

I have tried to user ldappasswd with no success either :

ldappasswd -D "cn=root,cn=sws,cn=oldham,cn=net" -W -s password 
"uid=greenacres,cn=sws,cn=oldham,cn=net" -v -x
Enter bind password:
ldap_initialize( <DEFAULT> )
ldap_bind: Invalid credentials

I have tried the "proxyuser" method using /etc/ldap.secret - but that didn't 
work either (I am not too sure *what* that did :-).

I am planning to use TLS (but its not set up yet) so I am not bothered about 
sedning plain text passwords to the LDAP, and letting OpenLDAP do the 
encypting, I think I have it set up like that now.

I think I probably have vsftp working, but can't check due to not knowing the 
test users pasword!

Below are a copy of the relevent section of my files :


base dc=sws,dc=oldham,dc=net
scope one
pam_filter                      objectClass=posixAccount
pam_login_attribute             uid
pam_member_attribute            gid
pam_template_login_attribute    uid
pam_password                    exop
nss_base_passwd                 ou=users,dc=sws,dc=oldham,dc=net?one
nss_base_shadow                 ou=users,dc=sws,dc=oldham,dc=net?one
nss_base_group                  ou=group,dc=sws,dc=oldham,dc=net?one


auth     sufficient     pam_ldap.so
auth     required       pam_unix2.so    nullok
account  sufficient     pam_ldap.so
account  required       pam_unix2.so
password required       pam_pwcheck.so  nullok
password required       pam_unix2.so    nullok use_first_pass use_authtok
password sufficient     pam_ldap.so
session  required       pam_unix2.so


database        ldbm
suffix          "dc=sws,dc=oldham,dc=net"
rootdn          "cn=root,dc=sws,dc=oldham,dc=net"
password-hash   {MD5}
rootpw          {MD5}asdsadsa====d==f=d=sf=3=
directory       /var/lib/ldap
schemacheck     on
sizelimit       2000
lastmod         on
threads         200
concurrency     175
idletimeout     300
cachesize       2000
dbcachesize     10000000
loglevel        100
index   objectClass,uid,uidNumber,gidNumber eq
access to dn=".*,dc=sws,dc=oldham,dc=net" attr=userPassword
        by dn="cn=root,dc=sws,dc=oldham,dc=net" write
        by self write
        by * auth
access to dn=".*,ou=users,dc=sws,dc=oldham,dc=net"
        by * read
access to dn=".*,dc=sws,dc=oldham,dc=net"
        by self write
        by * read

My user is :

n: cn=greenacres, ou=users, dc=sws, dc=oldham, dc=net
cn: Greenacres
sn: Primary School
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
uid: greenacres
userPassword: {crypt}ZoPAp4EhfC..M
uidNumber: 1000
gidNumber: 1000
gecos: Greenacres Primary School
loginShell: /bin/false
homeDirectory: /exports/httpd/oldhamschuk/greenacres
shadowMin: 0
shadowMax: 999999
shadowWarning: 7
shadowInactive: -1
shadowExpire: -1
shadowFlag: 0

Thanks for any help given,

Andrew McCall

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.