[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: root cannot change user password with command "passwd", sssd, pam, openldap

To: openldap-technical@openldap.org
Subject: Re: root cannot change user password with command "passwd", sssd, pam, openldap
From: Augustin Wolf <augustynwilk@gmail.com>
Date: Mon, 22 Jul 2013 22:08:25 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=zB5KBfKG+xa9yVKnPGXM17CfouYIv88qPfWxln6kQQM=; b=aOyKCO/yPwVefzBNunIDdLx0vlphVBKooxhF7Qx35HQHmGNLQoGheDIO8zos6YcGCT 5+0kdJERdyhUYSgtxTwmgD0k65UKL7jFf0rA6ZFFev+a3yPXwjL/Wej6QIs2A8eEVzSx mbItsN4NHGijzX5c6pYuPPvIv41d+nWcpjXk1MRkXg3T+xWQnqKwUkLTBL4F9/iIch2l 6dvQ6I2NYGI9fJ4HkTp4qpBelDjNDtz06xsXmpoXf5znrkjRSP7rUI3X8clDoKSv4n9F Avh3s/iH7uVCbXrOMNbOCK7giMM/zPsfyCwIi8OKTzfRw/8McacjfMakZdWplzpy/VnU koZg==
In-reply-to: <CABbu4yY_zvmJXn-cV8no8Wk-QQQOx93n1U+P0j5u97Eq0Xfu2A@mail.gmail.com>
References: <CACDPosK-8UTgfVOQ3sAg8deenYC0fVaib_On3L2kFZGHgmViGQ@mail.gmail.com> <CABbu4yY_zvmJXn-cV8no8Wk-QQQOx93n1U+P0j5u97Eq0Xfu2A@mail.gmail.com>

On 22 July 2013 18:14, Michael Proto <michael.proto@tstllc.net> wrote:
> I believe you can use the rootbinddn feature in pam_ldap.conf to allow the
rootbinddn is set in pam_ldap.conf and sadly it doesn't work.
I got it set to LDAP admin DN (the same as rootdn in slapd.conf). This
user has more privilages (manage permission to all LDAP attributes)>

On 22 July 2013 14:57, Cooper, Tom <TCooper@fnb.co.za> wrote:
> Root has to use ldappasswd to change users' passwords.
I head to integrate user database with Kerberos. I'm guessing that
ldappaswd doesn't support Kerberos attributes. Does root have to
change password with use of two systems: one for ldap another for
Kerberos?
Does root really has to do double work to change all tokens? Without
it there might be passwords mismatch. Different password for Kerberos
and different for LDAP.

> -Michael Proto

In my struggle with this issue, I noticed, that when I add to
/etc/sssd/sssd.conf :
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = root/admin
ldap_sasl_realm = EXAMPLE.COM
the error message is different:
[root@ldap ~]# passwd test
Changing password for user test.
System is offline, password change not possible
passwd: Authentication token manipulation error
==> /var/log/secure <==
Jun 25 16:27:35 ldap passwd: pam_sss(passwd:chauthtok): Authentication
failed for user test: 20 (Authentication token manipulation error)

thx for reply guys.
>> My configs, logs, etc are in here: http://fpaste.org/26708/

Follow-Ups:
- Re: root cannot change user password with command "passwd", sssd, pam, openldap
  - From: Augustin Wolf <augustynwilk@gmail.com>

References:
- root cannot change user password with command "passwd", sssd, pam, openldap
  - From: Augustin Wolf <augustynwilk@gmail.com>
- Re: root cannot change user password with command "passwd", sssd, pam, openldap
  - From: Michael Proto <michael.proto@tstllc.net>

Prev by Date: OpenLdap from OpenCSW installation
Next by Date: Re: OpenLdap from OpenCSW installation
Index(es):
- Chronological
- Thread