Re: LDAP passwd

[Danny Sauer <sauer@cloudmaster.com>]

On Thu, Jun 08, 2000 at 05:32:21PM -0500, Jeff Licquia wrote:
> On Thu, Jun 08, 2000 at 11:36:25AM -0500, Danny Sauer wrote:
> > 
> > So, I never actually saw - has anyone actually gotten password changes working
> > with pam_ldap?  I've been going on the hope that users never want to change
> > their password for a little too long now...
> > 
> > I've got this "supplied with pam_ldap" pam.d/passwd file:
> > 
> > auth       sufficient	/lib/security/pam_ldap.so
> > auth       required     /lib/security/pam_unix_auth.so use_first_pass
> > account    sufficient	/lib/security/pam_ldap.so
> > account    required     /lib/security/pam_unix_acct.so
> > password   required	/lib/security/pam_cracklib.so retry=3
> > password   sufficient	/lib/security/pam_ldap.so 
> > password   required     /lib/security/pam_unix_passwd.so try_first_pass
> > 
> > but I get no changed password.
> 
> The cracklib stuff may be where your trouble is.  Try turning that
> off.
> 
> > I know stuff is *kinda* set up right, 'cause I can log in.  chsh and passwd
> > do not work, however, and I think it's a rights thing.  Is there some good
> > documentation somewhere on how these things need to be set up to work, 
> > like the attributes each user should have and the like?
> 
> Look at http://www.rage.net/ldap.  There's a link from there to the
> informational RFC that suggests what attributes to use.
>
That site was down last time I went to look at it (and for a few days after).
Looks like it's up now.  I'll check it out again. ;)

> > I think I've got the LDAP (openldap) server set up wrong, because my crypt()'d
> > password doesn't work ( rootpw {crypt}dsL/6N1rUU8. ) for my root dn,
> and
> 
> I think you might want to change that now. :-)

Changed before posted.  Duh. :)

> > I can't figure out how to bind to the server as myself.  Am I wrong in thining
> > that I need to bind as myself to change my passwd?  I shut off all the "access" 
> > lines in slapd.conf, and then tried re-enabling them, to no avail.
> 
> Here's what I have for an access line for the password attribute:
> 
> access to attribute=userPassword
>         by dn="cn=admin,ou=People,o=Springfield Clinic,c=US" write
>         by dn="cn=validate,ou=People,o=Springfield Clinic,c=US" read
>         by self write
>         by * none
> 
> That should be all you need for passwd to work.


I removed the cracklib thing, and it appeared to fix the prompt 'n stuff.
Now I get

sauer@venus:/mnt/csc/staff/sauer > passwd
Enter login(LDAP) password:
New password:
Re-enter new password:
LDAP password information update failed: No such attribute

It looks like it's looking for a "shadowaccount"group I don
't have, or something.  I think I can track it down from here.  I hope.

> > sauer@ariel:/mnt/csc/staff/sauer > rpm -q pam_ldap nss_ldap
> > pam_ldap-46-11
> > nss_ldap-105-29
> > sauer@ariel:/mnt/csc/staff/sauer > passwd
> > New UNIX password: 
> > Retype new UNIX password: 
> > Enter login(LDAP) password: 
> > New password: 
> > Re-enter new password: 
> > LDAP password information update failed: Insufficient access
> > 
> > /usr/share/dict/cracklib_dict.pwd: No such file or directory
> > PWOpen: No such file or directory
> > sauer@ariel:/mnt/csc/staff/sauer > chsh
> > Password: 
> > Changing the login shell for sauer
> > Enter the new value, or press return for the default
> > 	Login Shell [/bin/bash]: /usr/bin/zsh
> > 	chsh: sauer not found in /etc/passwd
> 
> chsh on Debian has its own pam.d file; does it on yours?  If not, chsh
> may not be PAMified.  Check 'ldd `which chsh` | grep ldap'.

It's pam'd - I had the same problem with cracklib there.

I'll come back when I've tried some stuff.  Thanks Jeff.
--Danny

--
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.