[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ldap and passwd command



On Wednesday 21 January 2004 17:22, Adam Williams wrote:
> >I have been running openldap for a while on Linux but I was wondering,
> >how do you let root use the passwd command to change the users password?
>
> This is really a PAM related question.
>
> I answer it in my LDAP presentation -
> ftp://ftp.kalamazoolinux.org/pub/pdf/ldapv3.pdf
>
> Hint: "rootbinddn" in /etc/ldap.conf

I have now had a look at the presentation and tried for a day to find where I 
am going wrong with this.  I have also tried several times to access the padl 
lists, without success, so please forgive my responding here rather than 
there.

I have what I believe to be the configuration that you presentation says it 
requires, but still cannot change a password as root without having to login 
to the ldap server first as the user.  This even applies to the root user.

I have this in my /etc/openldap/ldap.conf

host		ldap
base		dc=damonjebb,dc=net
ldap_version	3

rootbinddn 	cn=root,dc=damonjebb,dc=net
scope subhost		ldap
base		dc=damonjebb,dc=net
ldap_version	3

rootbinddn 	cn=root,dc=damonjebb,dc=net
scope sub

pam_filter		objectClass=posixaccount
pam_login_attribute	uid
pam_member_attribute	gid
pam_password 		exop

nss_base_passwd	ou=People,dc=damonjebb,dc=net?sub
nss_base_shadow	ou=People,dc=damonjebb,dc=net?one
nss_base_group	ou=Group,dc=damonjebb,dc=net?one
nss_base_hosts	ou=Hosts,dc=damonjebb,dc=net?one


pam_filter		objectClass=posixaccount
pam_login_attribute	uid
pam_member_attribute	gid
pam_password 		exop
<note - I have had this set to md5 and crypt at various times without any 
difference.  The slapd.conf has {crytpt} with a salt for md5>

nss_base_passwd	ou=People,dc=damonjebb,dc=net?sub
nss_base_shadow	ou=People,dc=damonjebb,dc=net?one
nss_base_group	ou=Group,dc=damonjebb,dc=net?one
nss_base_hosts	ou=Hosts,dc=damonjebb,dc=net?one

and a /etc/ldap.secret file with the password in it in plain text format and a 
blank line below (which I read is required).

This is my current /etc/pam.d/passwd file...

auth		required		pam_env.so
auth		sufficient		pam_unix2.so	likeauth nullok
auth		required		pam_deny.so

account		sufficient		pam_unix2.so
account		required		pam_deny.so

password	required		pam_pwcheck.so	nullok
password	required		pam_unix2.so	nullok  md5 use_first_pass use_authtok

session 	required		pam_unix2.so

This is a SuSe 9 box, and the pam_unix2.conf file specifies the use of 
pam_ldap, so it is not required (and clearly is being used as I am requird to 
log in before accesing the server).

I know that the ldap.conf file is being used during the client access to the 
ldap server because some changes to it have broken it.
I can see from the log file using debug level 128 that the bind is anonymous 
not with the dn specified in the file.  What am I doing wrong?  When I 
disallow anonymous bind in the slapd.conf nothing works properly.

Thanks for any help you might be able to offer.

Damon