[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Modifying password by user

To: openldap-technical@openldap.org, francklarchange@free.fr
Subject: Re: Modifying password by user
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Tue, 14 Apr 2009 13:32:49 +0200
Content-disposition: inline
In-reply-to: <49E3DA53.6000505@free.fr>
References: <49E3DA53.6000505@free.fr>
User-agent: KMail/1.11.2 (Linux/2.6.29-desktop-1mnb; KDE/4.2.2; x86_64; ; )

On Tuesday 14 April 2009 02:35:31 Franck Royer wrote:
> Hi,
>
>
> I'm installing openldap on a ubuntu intrepid server (8.10). Everything
> is ok except when I want that a user is able to modify his own password
> using phpldapadmin (0x32 LDAP_INSUFFICIENT_ACCESS).

Based on your slapd.conf, this would be the error I would expect.

> So I tried to modify it using ldappasswd :
>
> dante@kollok ~ $ ldappasswd
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>
> or
>
> dante@kollok ~ $ ldappasswd -D "uid=dante,ou=people,dc=kollok,dc=org"
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Invalid credentials (49)

These two are misleading, it appears you are using SASL when you haven't 
actually got SASL-compatible passwords. Note that PAM doesn't do SASL binds, 
so you should probably be using a simple bind here (see the -x flag).

> The posix user dante is the same user than the ldap one (I use pam
> libs). And I know that my password is right cause I can log in ldapadmin
> or ssh with it.
>
> My slapd.conf : http://pastebin.com/f44dd2b59
> My ldap.conf : http://pastebin.com/f3af1bec3

Please see paragraph ~5 of 'man slapd.conf', which states:

"If a line begins with white space, it is considered a continuation of
the  previous line.  No physical line should be over 2000 bytes long."

Now, please look at line 111 in your slapd.conf on pastebin, and you will 
notice that you have effectively given slapd one line as follows:

# protection des mots de passe access to attrs=userPassword by 
dn="cn=proxy,dc=kollok,dc=org" read by self write by anonymous auth by * none

(which obviously won't do what you want).

Besides this, most likely most of your indexes aren't active, your dbconfig 
directives wouldn't find their way to DB_CONFIG (if it was not already 
present), etc. etc.

You may want to run 'slaptest -d config' to see what slapd does when parsing 
your config file.

Regards,
Buchan

Follow-Ups:
- Re: Modifying password by user
  - From: Franck Royer <royer.franck@gmail.com>

References:
- Modifying password by user
  - From: Franck Royer <royer.franck@gmail.com>

Prev by Date: Re: group of groups
Next by Date: Re: group of groups
Index(es):
- Chronological
- Thread