Hi All
I am trying to change the password using passwd, please see the below :

[xyz@server ~]$ passwd
Changing password for user xyz.
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
LDAP password information update failed: Confidentiality required
Operation requires a secure connection.

The error log shows 
Nov 13 11:47:17 HA-Dev-Nymgo-100-45 passwd: pam_unix(passwd:chauthtok): user "xyz" does not exist in /etc/passwd

Pam config follows :

/etc/pam.d/passwd
#%PAM-1.0
auth       include      system-auth
account    include      system-auth
password   include      system-auth
~

/etc/pam.d/system-auth

#/etc/pam.d/system-auth
#%PAM-1.0

auth            required          pam_env.so
auth            sufficient      pam_unix.so
auth            sufficient      pam_ldap.so  use_first_pass
auth            required          pam_deny.so

account  sufficient     pam_unix.so
account  sufficient     pam_ldap.so use_first_pass
account  required         pam_deny.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so


#password        required        pam_cracklib.so retry=3 minlen=2  dcredit=0  ucredit=0
#password        sufficient      pam_unix.so nullok use_authtok md5 shadow
#password        sufficient      pam_ldap.so
#password        required          pam_deny.so

session  optional         pam_mkhomedir.so skel=/etc/skel/ umask=0022
session  required         pam_limits.so
session  required         pam_unix.so
session  optional         pam_ldap.so
~
~



On Tue, Nov 13, 2012 at 11:15 AM, Arpit Tolani <arpittolani@gmail.com> wrote:
Hello



On Tue, Nov 13, 2012 at 1:10 PM, Ali Jawad <ali.jawad@splendor.net> wrote:
> Hi Arpit
> Actually I was attempting to change the password using command line
>
> passwd
>
> I.e. each user changes his own password, is passwd the right choice here ?
>

Yes, passwd is right choice, considering you have pam_ldap.so properly
configured & yes passwd dont need ssl/tls to be configured.


> Regards
>
> On Mon, Nov 12, 2012 at 11:27 PM, Arpit Tolani <arpittolani@gmail.com>
> wrote:
>>
>> Hello
>>
>> On Tue, Nov 13, 2012 at 12:33 AM, Ali Jawad <ali.jawad@splendor.net>
>> wrote:
>> > In that case I have a major overhaul that I need to complete, change
>> > password is not working for me, my assumption is that it only works with
>> > TLS
>> > enabled between the client and the server, I have tried to get TLS to
>> > run a
>> > few times but could not get it to run so far. Am I right about the
>> > assumption that I need encryption between the server and the clients for
>> > password change to work ?
>> > Regards
>> >
>>
>> When using ldappasswd command, Yes ssl/tls is mandatory, Try changing
>> password using ldapmodify, it doesnt required ssl/tls connection.
>>
>> >
>> > On Mon, Nov 12, 2012 at 8:56 PM, Mark Reynolds <mareynol@redhat.com>
>> > wrote:
>> >>
>> >> Only "crypt" uses the first 8 characters, so any other scheme would be
>> >> fine.  After you change the scheme you will need to force all the users
>> >> to
>> >> change their passwords - otherwise their crypt passwords will still be
>> >> present.
>> >>
>> >>
>> >>
>> >> On 11/12/2012 01:52 PM, Ali Jawad wrote:
>> >>
>> >> Hi All
>> >> This is an all Linux environment with 389 being used as the sole
>> >> authentication mechanism, I do believe I am using crypt, I am out of
>> >> office
>> >> right now, what should I use instead of crypt to match more characters
>> >> ?
>> >> Regards
>> >>
>> >> On Mon, Nov 12, 2012 at 7:02 PM, Mark Reynolds <mareynol@redhat.com>
>> >> wrote:
>> >>>
>> >>> Also what password storage scheme are you using?  For example "crypt"
>> >>> only checks the first 8 characters of a password.
>> >>>
>> >>>
>> >>> On 11/12/2012 11:18 AM, Dan Lavu wrote:
>> >>>
>> >>> In regards to a password policy? Just 389 or are you using winsync
>> >>> with
>> >>> AD? Because the password policy from AD does not transfer over. Also
>> >>> they
>> >>> are some extra steps if you want to setup an OU based password policy
>> >>> but if
>> >>> you just do it for the entire directory through ‘configuration’ it
>> >>> works
>> >>> with no issues.
>> >>>
>> >>> Dan
>> >>>
>> >>> From: Ali Jawad <ali.jawad@splendor.net>
>> >>> Sent: November 12, 2012 6:00 AM
>> >>> To: General discussion list for the 389 Directory server project.
>> >>> Subject: [389-users] Password + anything works ?
>> >>>
>> >>> Hi
>> >>> I just noticed that you can use the password+ANYLetters and it will
>> >>> work,
>> >>> I.e. if the password is xyz xyz99 or xyzABC will work as well, is this
>> >>> a
>> >>> misconfiguration on my part or a bug ?
>> >>> Regards
>> >>>
>>
>> Regards
>> Arpit Tolani
>> --
>> 389 users mailing list
>> 389-users@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
>
>
>
> --
> Ali Jawad
> Information Systems Manager
> CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA
> Splendor Telecom (www.splendor.net)
> Beirut, Lebanon
> Phone: +9611373725/ext 116
> FAX: +9611375554
>
>
>
> --
> 389 users mailing list
> 389-users@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

--
Regards
Arpit Tolani
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users



--
Ali Jawad   
Information Systems Manager
CISSP - PMP - ITIL V3 - RHCE - VCP - C|EH - CCNA - MCSA
Splendor Telecom (www.splendor.net)
Beirut, Lebanon
Phone: +9611373725/ext 116
FAX: +9611375554