LDAP change user pass on client

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by Sean on Server Fault See other posts from Server Fault or by Sean
Published on 2011-05-09T15:17:32Z Indexed on 2012/10/13 3:39 UTC
Read the original article Hit count: 593

Filed under:
|

I am trying to allow ldap users to change their password on client machines. I have tried pam every which way I can think of /etc/ldap.conf & /etc/pam_ldap.conf, as well. At this point I'm stuck.

Client: Ubuntu 11.04
Server: Debian 6.0

The current output is this:

sobrien4@T-E700F-1:~$ passwd
passwd: Authentication service cannot retrieve authentication info
passwd: password unchanged

/var/log/auth.log gives this during the command:

May  9 10:49:06 T-E700F-1 passwd[18515]: pam_unix(passwd:chauthtok): user "sobrien4"  does not exist in /etc/passwd
May  9 10:49:06 T-E700F-1 passwd[18515]: pam_ldap: ldap_simple_bind Can't contact LDAP server
May  9 10:49:06 T-E700F-1 passwd[18515]: pam_ldap: reconnecting to LDAP server...
May  9 10:49:06 T-E700F-1 passwd[18515]: pam_ldap: ldap_simple_bind Can't contact LDAP server

getent passwd |grep sobrien4 (note keeping short since testing with that account, however it outputs all ldap users):

sobrien4:Ffm1oHzwnLz0U:10000:12001:Sean O'Brien:/home/sobrien4:/bin/bash

getent group shows all ldap groups.

/etc/pam.d/common-password (Note this is just the most current, I have tried a lot of different options):

password   required   pam_cracklib.so retry=3 minlen=8 difok=3
password   [success=1 default=ignore] pam_unix.so use_authtok md5
password   required   pam_ldap.so use_authtok
password   required   pam_permit.so

Popped open wireshark as well, the server & client are talking.

I have the password changing working on the server. I.E. the server that runs slapd, I can log in with the ldap user and change the passwords. I tried copying the working configs from the server initially and no dice.

I also tried cloning it, and just changing ip & host, and no go. My guess is that the client is not authorized by ip or hostname to change a pass.

Pertaining to the slapd conf, I saw this in a guide and tried it:

access to attrs=loginShell,gecos
      by dn="cn=admin,dc=cengineering,dc=etb" write
      by self write
      by * read

access to *
          by dn="cn=admin,dc=cengineering,dc=etb" write
      by self write
      by * read

So ldap seems to be working okay, just can't change the password.

© Server Fault or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about ldap

Related posts about openldap

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle