[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LDAP passwd

To: luci-discuss@luci.org
Subject: Re: LDAP passwd
From: Jeff Licquia <jeff@luci.org>
Date: Thu, 8 Jun 2000 17:32:21 -0500
In-Reply-To: <20000608113625.A18271@pyro.cloudmaster.com>; from sauer@cloudmaster.com on Thu, Jun 08, 2000 at 11:36:25AM -0500
Organization: Linux Users of Central Illinois
References: <20000608113625.A18271@pyro.cloudmaster.com>
Reply-To: luci-discuss@luci.org
Sender: owner-luci-discuss@luci.org
User-Agent: Mutt/1.0.1i


On Thu, Jun 08, 2000 at 11:36:25AM -0500, Danny Sauer wrote:
> 
> So, I never actually saw - has anyone actually gotten password changes working
> with pam_ldap?  I've been going on the hope that users never want to change
> their password for a little too long now...
> 
> I've got this "supplied with pam_ldap" pam.d/passwd file:
> 
> auth       sufficient	/lib/security/pam_ldap.so
> auth       required     /lib/security/pam_unix_auth.so use_first_pass
> account    sufficient	/lib/security/pam_ldap.so
> account    required     /lib/security/pam_unix_acct.so
> password   required	/lib/security/pam_cracklib.so retry=3
> password   sufficient	/lib/security/pam_ldap.so 
> password   required     /lib/security/pam_unix_passwd.so try_first_pass
> 
> but I get no changed password.

The cracklib stuff may be where your trouble is.  Try turning that
off.

> I know stuff is *kinda* set up right, 'cause I can log in.  chsh and passwd
> do not work, however, and I think it's a rights thing.  Is there some good
> documentation somewhere on how these things need to be set up to work, 
> like the attributes each user should have and the like?

Look at http://www.rage.net/ldap.  There's a link from there to the
informational RFC that suggests what attributes to use.

> I think I've got the LDAP (openldap) server set up wrong, because my crypt()'d
> password doesn't work ( rootpw {crypt}dsL/6N1rUU8. ) for my root dn,
and

I think you might want to change that now. :-)

> I can't figure out how to bind to the server as myself.  Am I wrong in thining
> that I need to bind as myself to change my passwd?  I shut off all the "access" 
> lines in slapd.conf, and then tried re-enabling them, to no avail.

Here's what I have for an access line for the password attribute:

access to attribute=userPassword
        by dn="cn=admin,ou=People,o=Springfield Clinic,c=US" write
        by dn="cn=validate,ou=People,o=Springfield Clinic,c=US" read
        by self write
        by * none

That should be all you need for passwd to work.

> sauer@ariel:/mnt/csc/staff/sauer > rpm -q pam_ldap nss_ldap
> pam_ldap-46-11
> nss_ldap-105-29
> sauer@ariel:/mnt/csc/staff/sauer > passwd
> New UNIX password: 
> Retype new UNIX password: 
> Enter login(LDAP) password: 
> New password: 
> Re-enter new password: 
> LDAP password information update failed: Insufficient access
> 
> /usr/share/dict/cracklib_dict.pwd: No such file or directory
> PWOpen: No such file or directory
> sauer@ariel:/mnt/csc/staff/sauer > chsh
> Password: 
> Changing the login shell for sauer
> Enter the new value, or press return for the default
> 	Login Shell [/bin/bash]: /usr/bin/zsh
> 	chsh: sauer not found in /etc/passwd

chsh on Debian has its own pam.d file; does it on yours?  If not, chsh
may not be PAMified.  Check 'ldd `which chsh` | grep ldap'.

--
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.

Follow-Ups:
- Re: LDAP passwd
  - From: Danny Sauer <sauer@cloudmaster.com>

References:
- LDAP passwd
  - From: Danny Sauer <sauer@cloudmaster.com>

Prev by Date: Re: LDAP passwd
Next by Date: Applix
Prev by thread: Re: LDAP passwd
Next by thread: Re: LDAP passwd
Index(es):
- Date
- Thread