[Date Prev][Date Next] [Chronological] [Thread] [Top]

Replication and user password change

Hello the list,

I'm new here, new at OpenLDAP and I have an issue.

I've search for many time now an explanation but I saw nothing.

Here is my problem.

I ran a OpenLDAP server on a Debian VM

# slapd -V
@(#) $OpenLDAP: slapd 2.4.11 (Jul 23 2010 21:37:26) $


I have many direct client (desktop computer who query the ldap server)
and everything work well.

I made this ACL on slapd.conf to allow users to change there password:

access to attrs=userPassword,shadowLastChange
        by self write
        by dn="cn=syncuser,dc=example,dc=com" read
        by anonymous auth
        by * none

access to *
        by self write
        by * read

And it works fine.

These are the only ACL I have.

I also have 2 replications of this LDAP Server.

syncrepl rid=002
        retry="60 10 300 +"

The replications work well to and user can connect to those replication
computer (I don't have client of those replication).

But the trouble is when a user, connected to these replication try to
change his password:

% passwd
Enter login(LDAP) password:
New password:
Re-enter new password:
LDAP password information update failed: Strong(er) authentication required
modifications require authentication
passwd: Permission denied
passwd: password unchanged

In the /var/log/auth.log file I found:

Apr  4 16:10:45 ovhstorage sshd[22056]: pam_unix(sshd:account): password
for user test will expire in 4 days
Apr  4 16:10:45 ovhstorage sshd[22056]: Accepted publickey for test from port 49955 ssh2
Apr  4 16:10:45 ovhstorage sshd[22056]: pam_unix(sshd:session): session
opened for user test by (uid=0)
Apr  4 16:10:48 ovhstorage passwd[22064]: pam_unix(passwd:chauthtok):
user "test" does not exist in /etc/passwd
Apr  4 16:10:55 ovhstorage passwd[22064]: pam_unix(passwd:chauthtok):
user "test" does not exist in /etc/passwd

I know that modification must be done on the master server,but how can I
send modifications to the master. Did I have to use "referrals"?

Thanks in advance for giving the correct pointers.

Best regards
Jacques Foucry