On Fri, 2011-04-01 at 17:50 +0200, Judith Flo Gaya wrote:
Hello,
I'm trying for some days to get an ldap server working, but I'm stuck
with some issues ;( Some of them, I just worked them around, but there's
one I can't deal with, I can get a user to change it's password in a
client machine.
This is a RHEL 6 server with
compat-openldap-2.4.19_2.3.43-15.el6.x86_64
openldap-devel-2.4.19-15.el6.x86_64
openldap-2.4.19-15.el6.x86_64
openldap-servers-2.4.19-15.el6.x86_64
openldap-clients-2.4.19-15.el6.x86_64
the slapd.conf interesting part:
access to attrs=userPassword,shadowLastChange
by self write
by anonymous auth
by dn="cn=admin,dc=linux,dc=imppc,dc=org" write
by * none
access to *
by dn="cn=admin,dc=linux,dc=imppc,dc=org" write
by * read
access to *
by dn="cn=admin,dc=linux,dc=imppc,dc=org" write
by * read
This is the client rpms (fedora 14)
openldap-2.4.22-7.fc14.x86_64
openldap-devel-2.4.22-7.fc14.x86_64
openldap-2.4.22-7.fc14.i686
openldap-clients-2.4.22-7.fc14.x86_64
And the problem is this:
client_machine-bash-4.1$ passwd
Changing password for user user1.
Enter login(LDAP) password:
New password:
Retype new password:
LDAP password information update failed: Insufficient access
passwd: Authentication token manipulation error
I have to mention that I had to made some changes in order to simply be
able to query for a user. Ldapsearch worked but in order to do something
like :
id user1
or
su - user1
I had to change /etc/sysconfig/authconfig with
FORCELEGACY=yes
#FORCELEGACY=no
In this way I have been able to modify /etc/nsswitch with ldap values
when running authconfig-tui (otherwise it was only using sss and I
couldn't even be asked for the ldap password).
The point is the sss system. Without this entry (sss in nsswitch) I'm
not able to id or su, but if I don't put the ldap
keyword, I'm not even asked for the Enter login(LDAP) password:
but I'm asked for the "local" password which of course, doesn't exists,
so I get a nice "system error -4" because the system doesn't recognize it.
I don't know if I made myself clear enough, hope you can help me and I
really thank you in advance for any help you could provide.
----
change your ACL's on the server...
access to attrs=userPassword,shadowLastChange
by self write
by anonymous auth
by dn="cn=admin,dc=linux,dc=imppc,dc=org" write
by * none
access to *
by dn="cn=admin,dc=linux,dc=imppc,dc=org" write
by anonymous auth
by * read
Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.