[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Replication and user password change

updateref               ldap://ldapmaster.symas.com



On 04/04/2012 04:13 PM, Jacques Foucry wrote:
Hello the list,

I'm new here, new at OpenLDAP and I have an issue.

I've search for many time now an explanation but I saw nothing.

Here is my problem.

I ran a OpenLDAP server on a Debian VM

# slapd -V
@(#) $OpenLDAP: slapd 2.4.11 (Jul 23 2010 21:37:26) $


I have many direct client (desktop computer who query the ldap server)
and everything work well.

I made this ACL on slapd.conf to allow users to change there password:

access to attrs=userPassword,shadowLastChange
         by self write
         by dn="cn=syncuser,dc=example,dc=com" read
         by anonymous auth
         by * none

access to *
         by self write
         by * read

And it works fine.

These are the only ACL I have.

I also have 2 replications of this LDAP Server.

syncrepl rid=002
         retry="60 10 300 +"

The replications work well to and user can connect to those replication
computer (I don't have client of those replication).

But the trouble is when a user, connected to these replication try to
change his password:

% passwd
Enter login(LDAP) password:
New password:
Re-enter new password:
LDAP password information update failed: Strong(er) authentication required
modifications require authentication
passwd: Permission denied
passwd: password unchanged

In the /var/log/auth.log file I found:

Apr  4 16:10:45 ovhstorage sshd[22056]: pam_unix(sshd:account): password
for user test will expire in 4 days
Apr  4 16:10:45 ovhstorage sshd[22056]: Accepted publickey for test from port 49955 ssh2
Apr  4 16:10:45 ovhstorage sshd[22056]: pam_unix(sshd:session): session
opened for user test by (uid=0)
Apr  4 16:10:48 ovhstorage passwd[22064]: pam_unix(passwd:chauthtok):
user "test" does not exist in /etc/passwd
Apr  4 16:10:55 ovhstorage passwd[22064]: pam_unix(passwd:chauthtok):
user "test" does not exist in /etc/passwd

I know that modification must be done on the master server,but how can I
send modifications to the master. Did I have to use "referrals"?

Thanks in advance for giving the correct pointers.

Best regards
Jacques Foucry