[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Getting ldappasswd and PAM in the same page under CentOS 7

To: Clément OUDOT <clement.oudot@savoirfairelinux.com>
Subject: Re: Getting ldappasswd and PAM in the same page under CentOS 7
From: Robert Heller <heller@deepsoft.com>
Date: Wed, 20 Sep 2017 09:14:40 -0400 (EDT)
Cc: Robert Heller <heller@deepsoft.com>, openldap-technical@openldap.org
Dkim-filter: OpenDKIM Filter v2.11.0 sharky3.deepsoft.com 796B473214C
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=deepsoft.com; s=deepsoft.com; t=1505913280; bh=TjkA5PEfDLsfkZfc70JSGHeG2CS9dPORPVaHwiICq1E=; h=From:Subject:In-Reply-To:References:To:Cc:Date:From; b=eT8Mep0BVsg9eJy9MJPXgCMkLzU6ZE+ip5N2FmbrsYn7TSoTph6gJxEpwXMQxyQFi oXWdSnd5Psijj+GcqU5TX6jeQwc4/BPox91bYY5y8zMFFiayD9ttDHdZZcZSqwKCBO R0agGRxpk7Ye68PkFMi1LGcltaNsErw4iF5wUiwE=
In-reply-to: <c04b755c-a765-a779-5128-f5dc38daa392@savoirfairelinux.com>
Organization: Deepwoods Software
References: <20170919164516.65FA373236F@sharky3.deepsoft.com> <c04b755c-a765-a779-5128-f5dc38daa392@savoirfairelinux.com>

At Wed, 20 Sep 2017 09:09:23 +0200 =?UTF-8?Q?Cl=c3=a9ment_OUDOT?= <clement.oudot@savoirfairelinux.com> wrote:

> 
> 
> 
> Le 19/09/2017 =C3=A0 18:45, Robert Heller a =C3=A9crit :
> > I am having a hard time setting a user password using ldap (OpenLDAP
> > 2.4.40-13.el7) on a CentOS 7 system.
> >
> > I have installed OpenLDAP 2.4.40-13.el7 (stock CentOS 7 server and clie=
> nt),
> > nss-pam-ldapd (0.8.13-8.el7) and used authconfig to enable ldap. I have
> > created a user in the ldap database, and getent works just fine -- the =
> uid and
> > gid are seen, etc. But I cannot set the user's password in a way that w=
> orks
> > for su (and presumably login/slogin, etc.).  I am using ldappasswd to s=
> et the
> > user's password.
> >
> > I am thinking that PAM and ldappasswd are using *different* oneway encr=
> yption
> > methods and I am guessing I need to update a configuration somewhere (e=
> ither
> > for pam, sssd, or nslcd), but I am not finding it.
> 
> PAM is an LDAP client so does not read the password, it just sends BIND=20
> requests and OpenLDAP server then check the passsword by using the=20
> hashing method corresponding to the current password value.
> 
> Can you check in your server ACLs (olcAccess parameter) that anonymous=20
> users have the 'auth' right on userPassword attribute?

OK, I will check...

> 
> --=20
> Cl=C3=A9ment OUDOT
> Consultant en logiciels libres, Expert infrastructure et s=C3=A9curit=C3=A9
> Savoir-faire Linux
> 137 boulevard de Magenta - 75010 PARIS
> Blog: http://sflx.ca/coudot
> 
> 
>                                                                                            

-- 
Robert Heller             -- 978-544-6933
Deepwoods Software        -- Custom Software Services
http://www.deepsoft.com/  -- Linux Administration Services
heller@deepsoft.com       -- Webhosting Services

Follow-Ups:
- Re: Getting ldappasswd and PAM in the same page under CentOS 7
  - From: Robert Heller <heller@deepsoft.com>

References:
- Getting ldappasswd and PAM in the same page under CentOS 7
  - From: Robert Heller <heller@deepsoft.com>
- Re: Getting ldappasswd and PAM in the same page under CentOS 7
  - From: Clément OUDOT <clement.oudot@savoirfairelinux.com>

Prev by Date: Re: Using overlay rwm to rewrite search base depending on search filter
Next by Date: Re: Olc deployment vs slapd.conf based deployment
Index(es):
- Chronological
- Thread