[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LDAP passwd
Danny Sauer wrote:
>
> So, I never actually saw - has anyone actually gotten password changes working
> with pam_ldap? I've been going on the hope that users never want to change
> their password for a little too long now...
>
> I've got this "supplied with pam_ldap" pam.d/passwd file:
>
> auth sufficient /lib/security/pam_ldap.so
> auth required /lib/security/pam_unix_auth.so use_first_pass
> account sufficient /lib/security/pam_ldap.so
> account required /lib/security/pam_unix_acct.so
> password required /lib/security/pam_cracklib.so retry=3
> password sufficient /lib/security/pam_ldap.so
> password required /lib/security/pam_unix_passwd.so try_first_pass
>
> but I get no changed password.
>
> I know stuff is *kinda* set up right, 'cause I can log in. chsh and passwd
> do not work, however, and I think it's a rights thing. Is there some good
> documentation somewhere on how these things need to be set up to work,
> like the attributes each user should have and the like?
>
> I think I've got the LDAP (openldap) server set up wrong, because my crypt()'d
> password doesn't work ( rootpw {crypt}dsL/6N1rUU8. ) for my root dn, and
> I can't figure out how to bind to the server as myself. Am I wrong in thining
> that I need to bind as myself to change my passwd? I shut off all the "access"
> lines in slapd.conf, and then tried re-enabling them, to no avail.
I had found a document on how to give users access to their own ldap
record. But I lost it before I had a chance to read it completely and
haven't gotten around to searching for it again. :) I found that I had
to put the md5-crypt password in for my rootpw. How does one generate
that, is it just the password string md5'ed? I made a little program
that just executes crypt(), but that is the plain crypt not md5. I
wound up just changing my system password to what I wanted and then
copy/paste from /etc/passwd into the slapd.conf for rootpw.
> Here's what happens:
>
> ----------
> sauer@ariel:/mnt/csc/staff/sauer > rpm -q pam_ldap nss_ldap
> pam_ldap-46-11
> nss_ldap-105-29
> sauer@ariel:/mnt/csc/staff/sauer > passwd
> New UNIX password:
> Retype new UNIX password:
> Enter login(LDAP) password:
> New password:
> Re-enter new password:
> LDAP password information update failed: Insufficient access
>
> /usr/share/dict/cracklib_dict.pwd: No such file or directory
> PWOpen: No such file or directory
I get the same sort of thing. I still haven't solved it, myself.
> sauer@ariel:/mnt/csc/staff/sauer > chsh
> Password:
> Changing the login shell for sauer
> Enter the new value, or press return for the default
> Login Shell [/bin/bash]: /usr/bin/zsh
> chsh: sauer not found in /etc/passwd
I just gave chsh a try, and it changes my record in /etc/passwd, but not
ldap. When I removed myself from /etc/passwd, too many programs broke.
Thus far, I can log in via ldap and that's about it. One day soon I'll
get another burst of energy and tackle it again. :)
--
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.