I am having problems with access control in slapd.conf.
If I leave all access control commented in slapd.conf, the ssh user can login and id works.
But if the users password expires though the use of the ppolicy directives, they are
prompted to change the password but cannot due to an Insufficient access error:
# ssh -l ldap1 localhost
You are required to change your LDAP password immediately.
Last login: Mon Jul 19 10:06:53 2010 from localhost
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user ldap1.
Enter login(LDAP) password:
Retype new password:
LDAP password information update failed: Insufficient access
passwd: Authentication token manipulation error
Connection to localhost closed.
These are the openldap components installed on the system:
# rpm -qa | grep ldap
This is a beta release of Red Hat Enterprise v6, but it would seem the Openldap components
should work regardless of the OS components. I am working with this version of Red Hat
to get some experience with the V2.4* Openldap stream, realizing that this is not the latest
version of openldap.
I have tried various access control in slapd.conf that worked quite well in V2.3* of openldap
and released versions of Red Hat OS but any attempt to comment any of the follow lines
from slapd.conf, results in a complete failure of the ldap client to talk to the server.
#access to attrs=userPassword
# by self write
# by anonymous auth
# by dn.base="cn=Manager,dc=osn,dc=cxo,dc=cpqcorp,dc=net" write
# by * none
# by * auth
I would like to understand the rules comfortably before moving to interactive rulesets
and slapd configuration so I am working with slapd.conf.
I have read through the attribute section of the v2.4 Admin guide and believe I understand
the concepts and syntax, but perhaps I am missing something.
I donf't know if Red Hat may have added something unique to this mix. When you run their
authconfig utility to get a base set of ldap configuration attributes, it no longer updates
/etc/ldap.conf but instead it updates /etc/pam_ldap.conf. It also attempts to configure
and start something called nslcd.conf and it's corresponding daemon, nslcd.
nslcd - local LDAP name service daemon. This daemon has it's own configuration file which
looks just like the contents of ldap.conf. If this daemon is not runing, it also appears
that the ldap service does not exist and id and ssh both fail.....id can't find the user and
ssh is denied login access as though the passwords are invalid.
I copied the contents of pam_ldap.conf to /etc/ldap.conf to see if that makes a difference:
Is Red Hat doing something unique here ? Have they bypassed the client's /etc/ldap.conf file
in favor of this new nslcd daemon and pam_ldap.conf file ?
Strings on pam_ldap.so does show a reference to /etc/pam_ldap.conf but nothing for /etc/ldap.conf
I've tried reading through the various README and other docs supplied with this stuff but
nothing seems to indicate a major change in how the ldap client accesses the ldap server
in this version of Red Hat. Can anyone shed some light on this ?
Can I assume that generic openldap clients still expect to use /etc/ldap.conf as the one
and only ldap configuration file and nothing else ?