Hi all. I've given it my all, but I can't get my ldap authentication
working properly on my RH 7.2 box. I'm almost there. If I leave my ACL
wide open
access to *
by * write
things work pretty well for the most part. I can log in, and change my
passwords and everything stays in sync between ldap and Unix - although I do
have to type in the password for both pam_unix and pam_ldap (I would guess
that is what is occuring). I think this should be avoidable, but playing
with the try/use_first_pass doesn't seem to work. It gets even worse, three
prompts (two from unix on from pam) if I put the pam_ldap module after
pam_unix_passwd. I have a feeling this is to do with the password
encryption. I have md5 turned on in the /etc/shadow passwords, and the
password would not appear to be stored in the same way in OpenLDAP.
** Just a note to some that might encounter the same problem as me. By
making the pam_ldap and pam_unix auth required, if the passwords get out of
sync, as they very well can, you will end up with Access denied (through SSH
anyway) or something similar**
Anyhow the real problem is the password changing does not work at all if I
tighten up the ACL, as I must, but certainly still to where it should work -
like below for example.
access to *
by self write
by dn="uid=root,dc=domain,dc=com" write
by * read
by anonymous auth
With the above access I get the following Insufficient access message when
changing passwords (you can also see the number of prompts it is giving me)
[greg@gateway greg]$ passwd
Changing password for greg
(current) UNIX password:
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
Enter new UNIX password:
Retype new UNIX password:
New password:
Re-enter new password:
LDAP password information update failed: Insufficient access
passwd: Permission denied
[greg@gateway greg]$
What does the "self" in the ACL refer to? Who is bound in this scenario?
The user id + the base DN in slapd.conf? Also, If I bind with my rootdn at
the command prompt things work fine for adding entries using ldapadd, but if
I try to change the password for the same user I get the following. Very
very frustrating.
[root@gateway openldap]# ldappasswd -WS -D 'cn=root,dc=domain,dc=com' -x
greg
New password:
Re-enter new password:
Enter bind password:
Result: Invalid DN syntax (34)
Additional info: Invalid DN
or
[root@gateway openldap]# ldappasswd -WS -D
'cn=root,ou=People,dc=domain,dc=com' -x greg
New password:
Re-enter new password:
Enter bind password:
ldap_bind: Invalid credentials
but as stated I can bind and add with the same root dn no problems (see
below)
[root@gateway openldap]# ldapadd -x -D "cn=root,dc=domain,dc=com" -W -f
testuser.ldif
Enter LDAP Password:
adding new entry "uid=testuser,ou=People,dc=domain,dc=com"
[root@gateway openldap]#
