On Fri, 2009-01-23 at 20:11 -0500, Tim Hartmann wrote: > Hi! > > So I can into yet another pot-hole in the road to LDAP bliss... > > We have a root suffix in our directory that stores the basic Posix > attributes including password, I've been able to configure my client to > use ldap for directory services, and authenticate against my replica's, > so far so good! Then I tried to change my users password .. and thats > where I started getting a bit hung up.. > > At first I thought that it was because my replicas weren't sending the > update request/ referrals back to the masters. (We have two masters that > sit behind four consumers) > > Then I decided to change my ldap.conf files to point directly to my > masters.... but I still receaved the same errors "Can't contact LDAP > Server" , which was strange since I can do ldap searches against it all > day, and even bind to the servers to do searches! and Insufficient write > privileges, which made me think that maybe it was an ACI.. but I have > selfwrite enabled for the userPassword attribute... > > Here's the output of my failed attempt to change my user's password > after logging in successfully to the server.. > > Changing password for user foo. > Enter login(LDAP) password: > New UNIX password: > Retype new UNIX password: > LDAP password information update failed: Can't contact LDAP server > Insufficient 'write' privilege to the 'userPassword' attribute of entry > 'uid=foo,ou=people,dc=dept,dc=school,dc=edu'. > > passwd: Permission denied > > > If anyone has any thought I'd be grateful! I'm pretty perplexed! <snip> I'm an LDAP ignoramus so take this for what it's worth -- is it possible it's a PAM configuration problem and not an LDAP or ldap.conf problem? - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsullivan at opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society
