On Fri, 2011-04-01 at 17:50 +0200, Judith Flo Gaya wrote: > Hello, > > I'm trying for some days to get an ldap server working, but I'm stuck > with some issues ;( Some of them, I just worked them around, but there's > one I can't deal with, I can get a user to change it's password in a > client machine. > > This is a RHEL 6 server with > compat-openldap-2.4.19_2.3.43-15.el6.x86_64 > openldap-devel-2.4.19-15.el6.x86_64 > openldap-2.4.19-15.el6.x86_64 > openldap-servers-2.4.19-15.el6.x86_64 > openldap-clients-2.4.19-15.el6.x86_64 > > the slapd.conf interesting part: > access to attrs=userPassword,shadowLastChange > by self write > by anonymous auth > by dn="cn=admin,dc=linux,dc=imppc,dc=org" write > by * none > > access to * > by dn="cn=admin,dc=linux,dc=imppc,dc=org" write > by * read > > access to * > by dn="cn=admin,dc=linux,dc=imppc,dc=org" write > by * read > > > > This is the client rpms (fedora 14) > openldap-2.4.22-7.fc14.x86_64 > openldap-devel-2.4.22-7.fc14.x86_64 > openldap-2.4.22-7.fc14.i686 > openldap-clients-2.4.22-7.fc14.x86_64 > > And the problem is this: > client_machine-bash-4.1$ passwd > Changing password for user user1. > Enter login(LDAP) password: > New password: > Retype new password: > LDAP password information update failed: Insufficient access > passwd: Authentication token manipulation error > > I have to mention that I had to made some changes in order to simply be > able to query for a user. Ldapsearch worked but in order to do something > like : > id user1 > or > su - user1 > > I had to change /etc/sysconfig/authconfig with > FORCELEGACY=yes > #FORCELEGACY=no > > In this way I have been able to modify /etc/nsswitch with ldap values > when running authconfig-tui (otherwise it was only using sss and I > couldn't even be asked for the ldap password). > > The point is the sss system. Without this entry (sss in nsswitch) I'm > not able to id or su, but if I don't put the ldap > keyword, I'm not even asked for the Enter login(LDAP) password: > but I'm asked for the "local" password which of course, doesn't exists, > so I get a nice "system error -4" because the system doesn't recognize it. > > I don't know if I made myself clear enough, hope you can help me and I > really thank you in advance for any help you could provide. ---- change your ACL's on the server... access to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=linux,dc=imppc,dc=org" write by * none access to * by dn="cn=admin,dc=linux,dc=imppc,dc=org" write by anonymous auth by * read Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
