I'm trying to log into an LDAP client. Below I show a
login from the ldap server to the ldap client, and another from a normal
workstation on the same subnet to the ldap client. The workstation is
able to login, but am not able to login from the ldap server.
server: OpenLDAP 2.4.43
clients: nss-pam-ldapd 0.9.6
Any help much appreciated.
--- from ldap server to ldap client (fails)
$ ssh -l james 10.0.1.2
Enter passphrase for key '/home/james/.ssh/id_rsa':
You are required to change your password immediately (root enforced)
WARNING: Your password has expired.
You must change your password now and login again!
New password:
Retype new password:
password change failed: Server is unwilling to perform
passwd: password updated successfully
Connection to 10.0.1.2 closed.
--- from worstation to ldap client (succeeds)
$ ssh node-2
Password:
You are required to change your password immediately (root enforced)
need a new password
New password:
Retype new password:
password change failed: Insufficient access
node-2(james):~$
$ ldapsearch -x -b 'dc=my,dc=example,dc=com' '(objectclass=*)'
# extended LDIF
#
# LDAPv3
# base <dc=my,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
dn: dc=my,dc=example,dc=com
dc: cem
objectClass: dcObject
objectClass: organization
o: CEM
dn: cn=manager,dc=my,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: LDAP Admin
dn: ou=groups,dc=my,dc=example,dc=com
ou: groups
description: Groups
objectClass: organizationalUnit
dn: ou=users,dc=my,dc=example,dc=com
ou: users
description: Users
objectClass: organizationalUnit
dn: cn=james,ou=groups,dc=my,dc=example,dc=com
cn: james
objectClass: top
objectClass: posixGroup
gidNumber: 1000
dn: uid=james,ou=users,dc=my,dc=example,dc=com
cn: James
uid: james
uidNumber: 1000
gidNumber: 1000
sn: James
homeDirectory: /home/james
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
gecos: james
shadowLastChange: 0
userPassword:: e1NTSEF9ZjhRMGwwaDk1ek9mMUViaDhreDNlUEsvdFhFb29wV3I=
shadowMax: 9999
shadowWarning: 14
# search result
search: 2
result: 0 Success
# numResponses: 7
# numEntries: 6
/etc/pam.d/system-auth
---
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass likeauth nullok
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account optional pam_permit.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password sufficient pam_ldap.so use_authtok use_first_pass
password optional pam_permit.so
session required pam_limits.so
session required pam_env.so
session optional pam_ldap.so
session required pam_unix.so
session optional pam_permit.so