Re: Getting ldappasswd and PAM in the same page under CentOS 7

[Clément OUDOT <clement.oudot@savoirfairelinux.com>]

Le 19/09/2017 à 18:45, Robert Heller a écrit :
> I am having a hard time setting a user password using ldap (OpenLDAP
> 2.4.40-13.el7) on a CentOS 7 system.
>
> I have installed OpenLDAP 2.4.40-13.el7 (stock CentOS 7 server and client),
> nss-pam-ldapd (0.8.13-8.el7) and used authconfig to enable ldap. I have
> created a user in the ldap database, and getent works just fine -- the uid and
> gid are seen, etc. But I cannot set the user's password in a way that works
> for su (and presumably login/slogin, etc.).  I am using ldappasswd to set the
> user's password.
>
> I am thinking that PAM and ldappasswd are using *different* oneway encryption
> methods and I am guessing I need to update a configuration somewhere (either
> for pam, sssd, or nslcd), but I am not finding it.

PAM is an LDAP client so does not read the password, it just sends BIND 
requests and OpenLDAP server then check the passsword by using the 
hashing method corresponding to the current password value.

Can you check in your server ACLs (olcAccess parameter) that anonymous 
users have the 'auth' right on userPassword attribute?

--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
137 boulevard de Magenta - 75010 PARIS
Blog: http://sflx.ca/coudot