[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: root cannot change user password with command "passwd", sssd, pam, openldap

To: openldap-technical@openldap.org
Subject: Re: root cannot change user password with command "passwd", sssd, pam, openldap
From: Augustin Wolf <augustynwilk@gmail.com>
Date: Tue, 23 Jul 2013 23:01:26 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=1+g7x56vmF9o3GLoXeU2aFR5LKUU47Mo2nvRJ97v5mo=; b=n3Fkq+eOGdLRPYhswdg8or4EQDwaO+aUxHZkBkBNPOpepYFjRORogxHogCo4drC/Qq j/FVh+xfFZab/rP2LpBL8Em/VZJnCV6K7nmu9yfOpfvGvrsnOJVvbhNCQb+wNmlVb91Z aEfteAY2YY9SAQ9tA/uwzN9F+zRf2mW/pXuParytpyqrgXbGfxv0LQSJJvUt3LVOqmXl ZZyok65EggnqQHHOzEcXNHAuPo/sFASoLTVjQv7J8fqrATIiCt+pwe10BYkmxVZ/gQ1U x3e1JRBTo2tQUFb8Ec5EtFG2L2P07tliaTpS0bzvNlcTSGpOzLuzlC3armeoavVU5H68 h2Yg==
In-reply-to: <CACDPosKKgXYqQVP+7h8gr83DOAd83Y0JftzNtJWPS8dNSk_gAQ@mail.gmail.com>
References: <CACDPosK-8UTgfVOQ3sAg8deenYC0fVaib_On3L2kFZGHgmViGQ@mail.gmail.com> <CABbu4yY_zvmJXn-cV8no8Wk-QQQOx93n1U+P0j5u97Eq0Xfu2A@mail.gmail.com> <CACDPosKKgXYqQVP+7h8gr83DOAd83Y0JftzNtJWPS8dNSk_gAQ@mail.gmail.com>

Answer: you cannot change password using passwd, as sssd doesn't
support such feature. There might be change to sss_ldap.so to prompt
for ldap admin DN and password, but ldapasswd and kpasswd are
considered sufficient tools.

For more info see this thread:
https://lists.fedoraproject.org/pipermail/users/2013-July/438605.html.

On 22 July 2013 22:08, Augustin Wolf <augustynwilk@gmail.com> wrote:
> On 22 July 2013 18:14, Michael Proto <michael.proto@tstllc.net> wrote:
>> I believe you can use the rootbinddn feature in pam_ldap.conf to allow the
> rootbinddn is set in pam_ldap.conf and sadly it doesn't work.
> I got it set to LDAP admin DN (the same as rootdn in slapd.conf). This
> user has more privilages (manage permission to all LDAP attributes)>
>
> On 22 July 2013 14:57, Cooper, Tom <TCooper@fnb.co.za> wrote:
>> Root has to use ldappasswd to change users' passwords.
> I head to integrate user database with Kerberos. I'm guessing that
> ldappaswd doesn't support Kerberos attributes. Does root have to
> change password with use of two systems: one for ldap another for
> Kerberos?
> Does root really has to do double work to change all tokens? Without
> it there might be passwords mismatch. Different password for Kerberos
> and different for LDAP.
>
>> -Michael Proto
>
>
> In my struggle with this issue, I noticed, that when I add to
> /etc/sssd/sssd.conf :
> ldap_sasl_mech = GSSAPI
> ldap_sasl_authid = root/admin
> ldap_sasl_realm = EXAMPLE.COM
> the error message is different:
> [root@ldap ~]# passwd test
> Changing password for user test.
> System is offline, password change not possible
> passwd: Authentication token manipulation error
> ==> /var/log/secure <==
> Jun 25 16:27:35 ldap passwd: pam_sss(passwd:chauthtok): Authentication
> failed for user test: 20 (Authentication token manipulation error)
>
> thx for reply guys.
>>> My configs, logs, etc are in here: http://fpaste.org/26708/

References:
- root cannot change user password with command "passwd", sssd, pam, openldap
  - From: Augustin Wolf <augustynwilk@gmail.com>
- Re: root cannot change user password with command "passwd", sssd, pam, openldap
  - From: Michael Proto <michael.proto@tstllc.net>
- Re: root cannot change user password with command "passwd", sssd, pam, openldap
  - From: Augustin Wolf <augustynwilk@gmail.com>

Prev by Date: Re: undocumented TLSProtocolMin
Next by Date: TLS, integrity and root DSE
Index(es):
- Chronological
- Thread