[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: LDAP passwd




Danny Sauer wrote:
> 
> So, I never actually saw - has anyone actually gotten password changes working
> with pam_ldap?  I've been going on the hope that users never want to change
> their password for a little too long now...
> 
> I've got this "supplied with pam_ldap" pam.d/passwd file:
> 
> auth       sufficient   /lib/security/pam_ldap.so
> auth       required     /lib/security/pam_unix_auth.so use_first_pass
> account    sufficient   /lib/security/pam_ldap.so
> account    required     /lib/security/pam_unix_acct.so
> password   required     /lib/security/pam_cracklib.so retry=3
> password   sufficient   /lib/security/pam_ldap.so
> password   required     /lib/security/pam_unix_passwd.so try_first_pass
> 
> but I get no changed password.
> 
> I know stuff is *kinda* set up right, 'cause I can log in.  chsh and passwd
> do not work, however, and I think it's a rights thing.  Is there some good
> documentation somewhere on how these things need to be set up to work,
> like the attributes each user should have and the like?
> 
> I think I've got the LDAP (openldap) server set up wrong, because my crypt()'d
> password doesn't work ( rootpw {crypt}dsL/6N1rUU8. ) for my root dn, and
> I can't figure out how to bind to the server as myself.  Am I wrong in thining
> that I need to bind as myself to change my passwd?  I shut off all the "access"
> lines in slapd.conf, and then tried re-enabling them, to no avail.

I had found a document on how to give users access to their own ldap
record.  But I lost it before I had a chance to read it completely and
haven't gotten around to searching for it again. :)  I found that I had
to put the md5-crypt password in for my rootpw.  How does one generate
that, is it just the password string md5'ed?  I made a little program
that just executes crypt(), but that is the plain crypt not md5.  I
wound up just changing my system password to what I wanted and then
copy/paste from /etc/passwd into the slapd.conf for rootpw.

> Here's what happens:
> 
> ----------
> sauer@ariel:/mnt/csc/staff/sauer > rpm -q pam_ldap nss_ldap
> pam_ldap-46-11
> nss_ldap-105-29
> sauer@ariel:/mnt/csc/staff/sauer > passwd
> New UNIX password:
> Retype new UNIX password:
> Enter login(LDAP) password:
> New password:
> Re-enter new password:
> LDAP password information update failed: Insufficient access
> 
> /usr/share/dict/cracklib_dict.pwd: No such file or directory
> PWOpen: No such file or directory

I get the same sort of thing.  I still haven't solved it, myself.

> sauer@ariel:/mnt/csc/staff/sauer > chsh
> Password:
> Changing the login shell for sauer
> Enter the new value, or press return for the default
>         Login Shell [/bin/bash]: /usr/bin/zsh
>         chsh: sauer not found in /etc/passwd

I just gave chsh a try, and it changes my record in /etc/passwd, but not
ldap.  When I removed myself from /etc/passwd, too many programs broke. 
Thus far, I can log in via ldap and that's about it.  One day soon I'll
get another burst of energy and tackle it again. :)

--
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.