[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: root cannot change user password with command "passwd", sssd, pam, openldap

On 22 July 2013 18:14, Michael Proto <michael.proto@tstllc.net> wrote:
> I believe you can use the rootbinddn feature in pam_ldap.conf to allow the
rootbinddn is set in pam_ldap.conf and sadly it doesn't work.
I got it set to LDAP admin DN (the same as rootdn in slapd.conf). This
user has more privilages (manage permission to all LDAP attributes)>

On 22 July 2013 14:57, Cooper, Tom <TCooper@fnb.co.za> wrote:
> Root has to use ldappasswd to change users' passwords.
I head to integrate user database with Kerberos. I'm guessing that
ldappaswd doesn't support Kerberos attributes. Does root have to
change password with use of two systems: one for ldap another for
Does root really has to do double work to change all tokens? Without
it there might be passwords mismatch. Different password for Kerberos
and different for LDAP.

> -Michael Proto

In my struggle with this issue, I noticed, that when I add to
/etc/sssd/sssd.conf :
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = root/admin
ldap_sasl_realm = EXAMPLE.COM
the error message is different:
[root@ldap ~]# passwd test
Changing password for user test.
System is offline, password change not possible
passwd: Authentication token manipulation error
==> /var/log/secure <==
Jun 25 16:27:35 ldap passwd: pam_sss(passwd:chauthtok): Authentication
failed for user test: 20 (Authentication token manipulation error)

thx for reply guys.
>> My configs, logs, etc are in here: http://fpaste.org/26708/