On Mon, Jul 02, 2012 at 01:32:56PM +0200, Angel Bosch wrote:
De: "Sumit Bose" sbose@redhat.com If you are not asked for a new password I think you pam configuration might need some fixing. If you have a line like
password sufficient pam_sss.so use_authtok
in you configuration there should be a pam module to locally check the new password before, like:
password requisite pam_cracklib.so try_first_pass retry=3 type=
you're right, I was missing some password checker. I've installed pam cracklib and now I'm getting an error about access rights.
shouldn't be user able to change his own password?
This depends on the server settings. E.g. for OpenLDAP you have to configure it explicitly, see slapd.access(5) for details.
HTH
bye, Sumit
this is the excerpt:
############################################################################################## Jul 2 13:29:55 cprli0554 passwd[5428]: pam_sss(passwd:chauthtok): User info message: Password change failed. Server message: Insufficient access rights Jul 2 13:29:55 cprli0554 passwd[5428]: pam_sss(passwd:chauthtok): Password change failed for user a10023: 20 (Authentication token manipulation error)
##############################################################################################
regards,
àngel
sssd-users mailing list sssd-users@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-users