Well, I made some progress on this! In part it turns out that I had my ACI's set to tightly in my "enable self write for common attributes" ACI. So once I made some changes to that ACI I was able to update my user password so long as the client server was pointing at one of the Masters in /etc/ldap.conf and /etc/openldap.conf however, once I pointed those conf files back to my LDAP Replica's, I was back to getting the same errors! One small step closer to LDAP bliss! Tim Tim Hartmann wrote: > Could be, but the test server I'm using has a copy of the pam configs > from a production server, that works fine in our OpenLDAP environment, > I'm in the process of testing our new Directories Server in order to > replace the old servers... So same OS, and the same config files... > which is part of why I'm stumped! It's maddening being so close to the > end of this project! :) > > Best > > Tim > > > > John A. Sullivan III wrote: > >> On Fri, 2009-01-23 at 20:11 -0500, Tim Hartmann wrote: >> >> >>> Hi! >>> >>> So I can into yet another pot-hole in the road to LDAP bliss... >>> >>> We have a root suffix in our directory that stores the basic Posix >>> attributes including password, I've been able to configure my client to >>> use ldap for directory services, and authenticate against my replica's, >>> so far so good! Then I tried to change my users password .. and thats >>> where I started getting a bit hung up.. >>> >>> At first I thought that it was because my replicas weren't sending the >>> update request/ referrals back to the masters. (We have two masters that >>> sit behind four consumers) >>> >>> Then I decided to change my ldap.conf files to point directly to my >>> masters.... but I still receaved the same errors "Can't contact LDAP >>> Server" , which was strange since I can do ldap searches against it all >>> day, and even bind to the servers to do searches! and Insufficient write >>> privileges, which made me think that maybe it was an ACI.. but I have >>> selfwrite enabled for the userPassword attribute... >>> >>> Here's the output of my failed attempt to change my user's password >>> after logging in successfully to the server.. >>> >>> Changing password for user foo. >>> Enter login(LDAP) password: >>> New UNIX password: >>> Retype new UNIX password: >>> LDAP password information update failed: Can't contact LDAP server >>> Insufficient 'write' privilege to the 'userPassword' attribute of entry >>> 'uid=foo,ou=people,dc=dept,dc=school,dc=edu'. >>> >>> passwd: Permission denied >>> >>> >>> If anyone has any thought I'd be grateful! I'm pretty perplexed! >>> >>> >> <snip> >> I'm an LDAP ignoramus so take this for what it's worth -- is it possible >> it's a PAM configuration problem and not an LDAP or ldap.conf problem? - >> John >> >> > > -- > Fedora-directory-users mailing list > Fedora-directory-users at redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
