[Date Prev][Date Next] [Chronological] [Thread] [Top]

Replication and user password change

To: openldap-technical@openldap.org
Subject: Replication and user password change
From: Jacques Foucry <jacques.foucry@novasparks.com>
Date: Wed, 04 Apr 2012 16:13:39 +0200
User-agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:11.0) Gecko/20120312 Thunderbird/11.0

Hello the list,

I'm new here, new at OpenLDAP and I have an issue.

I've search for many time now an explanation but I saw nothing.

Here is my problem.

I ran a OpenLDAP server on a Debian VM

# slapd -V
@(#) $OpenLDAP: slapd 2.4.11 (Jul 23 2010 21:37:26) $

@barber:/build/buildd-openldap_2.4.11-1+lenny2-amd64-WJ2jlD/openldap-2.4.11/debian/build/servers/slapd

I have many direct client (desktop computer who query the ldap server)
and everything work well.

I made this ACL on slapd.conf to allow users to change there password:

access to attrs=userPassword,shadowLastChange
        by self write
        by dn="cn=syncuser,dc=example,dc=com" read
        by anonymous auth
        by * none

access to *
        by self write
        by * read

And it works fine.

These are the only ACL I have.


I also have 2 replications of this LDAP Server.

syncrepl rid=002
        provider=ldaps://ldap.example.com
        type=refreshOnly
        interval=00:01:00:00
        retry="60 10 300 +"
        filter="(objectClass=*)"
        scope=sub
        attrs="*"
        bindmethod=simple
        schemachecking=off
        searchbase="dc=example,dc=com"
        binddn="cn=syncuser,dc=example,dc=com"
        credentials=youdonthavetoknow
        tls_reqcert=never

The replications work well to and user can connect to those replication
computer (I don't have client of those replication).

But the trouble is when a user, connected to these replication try to
change his password:

% passwd
Enter login(LDAP) password:
New password:
Re-enter new password:
LDAP password information update failed: Strong(er) authentication required
modifications require authentication
passwd: Permission denied
passwd: password unchanged


In the /var/log/auth.log file I found:

Apr  4 16:10:45 ovhstorage sshd[22056]: pam_unix(sshd:account): password
for user test will expire in 4 days
Apr  4 16:10:45 ovhstorage sshd[22056]: Accepted publickey for test from
88.162.182.86 port 49955 ssh2
Apr  4 16:10:45 ovhstorage sshd[22056]: pam_unix(sshd:session): session
opened for user test by (uid=0)
Apr  4 16:10:48 ovhstorage passwd[22064]: pam_unix(passwd:chauthtok):
user "test" does not exist in /etc/passwd
Apr  4 16:10:55 ovhstorage passwd[22064]: pam_unix(passwd:chauthtok):
user "test" does not exist in /etc/passwd

I know that modification must be done on the master server,but how can I
send modifications to the master. Did I have to use "referrals"?

Thanks in advance for giving the correct pointers.

Best regards
Jacques Foucry

Follow-Ups:
- Re: Replication and user password change
  - From: anax <anax@ayni.com>

Prev by Date: Re: Hashing the userPassword
Next by Date: Referral Problem with SQL Backend
Index(es):
- Chronological
- Thread