[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldap client login

I'm trying to log into an LDAP client. Below I show a login from the ldap server to the ldap client, and another from a normal workstation on the same subnet to the ldap client. The workstation is able to login, but am not able to login from the ldap server.
server: OpenLDAP 2.4.43
clients: nss-pam-ldapd 0.9.6
Any help much appreciated.
--- from ldap server to ldap client (fails)
$ ssh -l james
Enter passphrase for key '/home/james/.ssh/id_rsa':
You are required to change your password immediately (root enforced)
WARNING: Your password has expired.
You must change your password now and login again!
New password:
Retype new password:
password change failed: Server is unwilling to perform
passwd: password updated successfully
Connection to closed.
--- from worstation to ldap client (succeeds)
$ ssh node-2
You are required to change your password immediately (root enforced)
need a new password
New password:
Retype new password:
password change failed: Insufficient access
$ ldapsearch -x -b 'dc=my,dc=example,dc=com' '(objectclass=*)'
# extended LDIF
# LDAPv3
# base <dc=my,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# my.example.com
dn: dc=my,dc=example,dc=com
dc: cem
objectClass: dcObject
objectClass: organization
o: CEM
# manager, my.example.com
dn: cn=manager,dc=my,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: LDAP Admin
# groups, my.example.com
dn: ou=groups,dc=my,dc=example,dc=com
ou: groups
description: Groups
objectClass: organizationalUnit
# users, my.example.com
dn: ou=users,dc=my,dc=example,dc=com
ou: users
description: Users
objectClass: organizationalUnit
# james, groups, my.example.com
dn: cn=james,ou=groups,dc=my,dc=example,dc=com
cn: james
objectClass: top
objectClass: posixGroup
gidNumber: 1000
# james, users, my.example.com
dn: uid=james,ou=users,dc=my,dc=example,dc=com
cn: James
uid: james
uidNumber: 1000
gidNumber: 1000
sn: James
homeDirectory: /home/james
mail: james@example.com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
gecos: james
shadowLastChange: 0
userPassword:: e1NTSEF9ZjhRMGwwaDk1ek9mMUViaDhreDNlUEsvdFhFb29wV3I=
shadowMax: 9999
shadowWarning: 14
# search result
search: 2
result: 0 Success
# numResponses: 7
# numEntries: 6
auth            required        pam_env.so
auth            sufficient      pam_unix.so try_first_pass likeauth nullok
auth            sufficient      pam_ldap.so use_first_pass
auth            required        pam_deny.so
account         required        pam_unix.so
account         [default=bad success=ok user_unknown=ignore]   pam_ldap.so  
account         optional        pam_permit.so
password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password        sufficient      pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password        sufficient      pam_ldap.so use_authtok use_first_pass
password        optional        pam_permit.so
session         required        pam_limits.so
session         required        pam_env.so
session         optional        pam_ldap.so
session         required        pam_unix.so
session         optional        pam_permit.so