7

I am trying to allow ldap users to change their password on client machines. I have tried pam every which way I can think of /etc/ldap.conf & /etc/pam_ldap.conf, as well. At this point I'm stuck.

Client: Ubuntu 11.04
Server: Debian 6.0

The current output is this:

sobrien4@T-E700F-1:~$ passwd passwd: Authentication service cannot retrieve authentication info passwd: password unchanged

/var/log/auth.log gives this during the command:

May 9 10:49:06 T-E700F-1 passwd[18515]: pam_unix(passwd:chauthtok): user "sobrien4" does not exist in /etc/passwd May 9 10:49:06 T-E700F-1 passwd[18515]: pam_ldap: ldap_simple_bind Can't contact LDAP server May 9 10:49:06 T-E700F-1 passwd[18515]: pam_ldap: reconnecting to LDAP server... May 9 10:49:06 T-E700F-1 passwd[18515]: pam_ldap: ldap_simple_bind Can't contact LDAP server

getent passwd |grep sobrien4 (note keeping short since testing with that account, however it outputs all ldap users):

sobrien4:Ffm1oHzwnLz0U:10000:12001:Sean O'Brien:/home/sobrien4:/bin/bash

getent group shows all ldap groups.

/etc/pam.d/common-password (Note this is just the most current, I have tried a lot of different options):

password required pam_cracklib.so retry=3 minlen=8 difok=3 password [success=1 default=ignore] pam_unix.so use_authtok md5 password required pam_ldap.so use_authtok password required pam_permit.so

Popped open wireshark as well, the server & client are talking.

I have the password changing working on the server. I.E. the server that runs slapd, I can log in with the ldap user and change the passwords. I tried copying the working configs from the server initially and no dice.

I also tried cloning it, and just changing ip & host, and no go. My guess is that the client is not authorized by ip or hostname to change a pass.

Pertaining to the slapd conf, I saw this in a guide and tried it:

access to attrs=loginShell,gecos by dn="cn=admin,dc=cengineering,dc=etb" write by self write by * read access to * by dn="cn=admin,dc=cengineering,dc=etb" write by self write by * read

So ldap seems to be working okay, just can't change the password.

Improve this question

3 Answers 3

Reset to default
0

I think you need to allow auth-bind'ing for it to work. By this, I mean the user connects to the ldap (or pam proxies) and presents his/her credentials. If the ldap server likes what it sees, the authbind succeeds and PAM knows thay your user/pass pair is correct. Please see the example in zytrax's book

Adjust your ACL to have a section similar to

# ACL1 access to attrs=userpassword by self write by anonymous auth by group.exact="cn=itpeople,ou=groups,dc=example,dc=com" write by * none
Improve this answer
0

I've experienced this exact same problem before; in order to resolve this, I needed to remove use_authtok - this allowed us to then change user's passwords using passwd ... I'm not sure what repercussions this would have if your authentication chain requires tokens, but this should do the trick if you only auth via LDAP

Improve this answer
1
0

I'm using the following configuration for PAM passwd support:

password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_ldap.so try_first_pass use_authtok password sufficient pam_unix.so sha512 shadow nullok use_authtok try_first_pass password required pam_deny.so

Also remember that ACLs should be configured from most specific to least specific, because the first matching entry wins. Mine looks like this:

access to attrs=userPassword by dn="cn=admin,dc=hell" write by set="[cn=admins,ou=access groups,ou=groups,dc=hell]/memberUid & user/uid" write by anonymous auth by self write by * none

(BTW, I'd rather recommend original OpenLDAP administration guide than the Zytrax book; the book uses the guide as a source anyway, but frequently introduces errors while it strays away from the original text.)

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.