Hello,
I'm trying for some days to get an ldap server working, but I'm stuck with some issues ;( Some of them, I just worked them around, but there's one I can't deal with, I can get a user to change it's password in a client machine.
This is a RHEL 6 server with compat-openldap-2.4.19_2.3.43-15.el6.x86_64 openldap-devel-2.4.19-15.el6.x86_64 openldap-2.4.19-15.el6.x86_64 openldap-servers-2.4.19-15.el6.x86_64 openldap-clients-2.4.19-15.el6.x86_64
the slapd.conf interesting part: access to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=linux,dc=imppc,dc=org" write by * none
access to * by dn="cn=admin,dc=linux,dc=imppc,dc=org" write by * read
access to * by dn="cn=admin,dc=linux,dc=imppc,dc=org" write by * read
This is the client rpms (fedora 14) openldap-2.4.22-7.fc14.x86_64 openldap-devel-2.4.22-7.fc14.x86_64 openldap-2.4.22-7.fc14.i686 openldap-clients-2.4.22-7.fc14.x86_64
And the problem is this: client_machine-bash-4.1$ passwd Changing password for user user1. Enter login(LDAP) password: New password: Retype new password: LDAP password information update failed: Insufficient access passwd: Authentication token manipulation error
I have to mention that I had to made some changes in order to simply be able to query for a user. Ldapsearch worked but in order to do something like : id user1 or su - user1
I had to change /etc/sysconfig/authconfig with FORCELEGACY=yes #FORCELEGACY=no
In this way I have been able to modify /etc/nsswitch with ldap values when running authconfig-tui (otherwise it was only using sss and I couldn't even be asked for the ldap password).
The point is the sss system. Without this entry (sss in nsswitch) I'm not able to id or su, but if I don't put the ldap keyword, I'm not even asked for the Enter login(LDAP) password: but I'm asked for the "local" password which of course, doesn't exists, so I get a nice "system error -4" because the system doesn't recognize it.
I don't know if I made myself clear enough, hope you can help me and I really thank you in advance for any help you could provide.
Sincerely, j
On Fri, 2011-04-01 at 17:50 +0200, Judith Flo Gaya wrote:
Hello,
I'm trying for some days to get an ldap server working, but I'm stuck with some issues ;( Some of them, I just worked them around, but there's one I can't deal with, I can get a user to change it's password in a client machine.
This is a RHEL 6 server with compat-openldap-2.4.19_2.3.43-15.el6.x86_64 openldap-devel-2.4.19-15.el6.x86_64 openldap-2.4.19-15.el6.x86_64 openldap-servers-2.4.19-15.el6.x86_64 openldap-clients-2.4.19-15.el6.x86_64
the slapd.conf interesting part: access to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=linux,dc=imppc,dc=org" write by * none
access to * by dn="cn=admin,dc=linux,dc=imppc,dc=org" write by * read
access to * by dn="cn=admin,dc=linux,dc=imppc,dc=org" write by * read
This is the client rpms (fedora 14) openldap-2.4.22-7.fc14.x86_64 openldap-devel-2.4.22-7.fc14.x86_64 openldap-2.4.22-7.fc14.i686 openldap-clients-2.4.22-7.fc14.x86_64
And the problem is this: client_machine-bash-4.1$ passwd Changing password for user user1. Enter login(LDAP) password: New password: Retype new password: LDAP password information update failed: Insufficient access passwd: Authentication token manipulation error
I have to mention that I had to made some changes in order to simply be able to query for a user. Ldapsearch worked but in order to do something like : id user1 or su - user1
I had to change /etc/sysconfig/authconfig with FORCELEGACY=yes #FORCELEGACY=no
In this way I have been able to modify /etc/nsswitch with ldap values when running authconfig-tui (otherwise it was only using sss and I couldn't even be asked for the ldap password).
The point is the sss system. Without this entry (sss in nsswitch) I'm not able to id or su, but if I don't put the ldap keyword, I'm not even asked for the Enter login(LDAP) password: but I'm asked for the "local" password which of course, doesn't exists, so I get a nice "system error -4" because the system doesn't recognize it.
I don't know if I made myself clear enough, hope you can help me and I really thank you in advance for any help you could provide.
---- change your ACL's on the server...
access to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=linux,dc=imppc,dc=org" write by * none
access to * by dn="cn=admin,dc=linux,dc=imppc,dc=org" write by anonymous auth by * read
Craig