Could be, but the test server I'm using has a copy of the pam configs from a production server, that works fine in our OpenLDAP environment, I'm in the process of testing our new Directories Server in order to replace the old servers... So same OS, and the same config files... which is part of why I'm stumped! It's maddening being so close to the end of this project! :) Best Tim John A. Sullivan III wrote: > On Fri, 2009-01-23 at 20:11 -0500, Tim Hartmann wrote: > >> Hi! >> >> So I can into yet another pot-hole in the road to LDAP bliss... >> >> We have a root suffix in our directory that stores the basic Posix >> attributes including password, I've been able to configure my client to >> use ldap for directory services, and authenticate against my replica's, >> so far so good! Then I tried to change my users password .. and thats >> where I started getting a bit hung up.. >> >> At first I thought that it was because my replicas weren't sending the >> update request/ referrals back to the masters. (We have two masters that >> sit behind four consumers) >> >> Then I decided to change my ldap.conf files to point directly to my >> masters.... but I still receaved the same errors "Can't contact LDAP >> Server" , which was strange since I can do ldap searches against it all >> day, and even bind to the servers to do searches! and Insufficient write >> privileges, which made me think that maybe it was an ACI.. but I have >> selfwrite enabled for the userPassword attribute... >> >> Here's the output of my failed attempt to change my user's password >> after logging in successfully to the server.. >> >> Changing password for user foo. >> Enter login(LDAP) password: >> New UNIX password: >> Retype new UNIX password: >> LDAP password information update failed: Can't contact LDAP server >> Insufficient 'write' privilege to the 'userPassword' attribute of entry >> 'uid=foo,ou=people,dc=dept,dc=school,dc=edu'. >> >> passwd: Permission denied >> >> >> If anyone has any thought I'd be grateful! I'm pretty perplexed! >> > <snip> > I'm an LDAP ignoramus so take this for what it's worth -- is it possible > it's a PAM configuration problem and not an LDAP or ldap.conf problem? - > John >