pam_ldap/eDirectory password change fails.

Stefan Voelkel <Stefan.Voelkel@xxxxxxxxxxxx> · 01 Apr 2003 17:41:08 +0200

Hello,

I am using eDirectory 8.7 and pam_ldap successfully to authenticate
users.

But as root I can not change user passwords (whereas user I can change
my own password):

root@xxxxxxx~# passwd foo
Changing password for user foo.
New password:
BAD PASSWORD: it is based on a dictionary word
Retype new password:
LDAP password information update failed: Unknown error

passwd: Permission denied

Syslog tells me:

Jun 16 07:50:12 dhcp233 passwd(pam_unix)[969]: user "foo" does not exist
in /etc/passwd or NIS
Jun 16 07:50:22 dhcp233 passwd[969]: pam_ldap: ldap_modify_s DSA is
unwilling to perform

ldap.conf:

host 127.0.0.1

# The distinguished name of the search base.
base ou=stuttgart,o=acme

binddn cn=root,ou=stuttgart,o=acme
bindpw *****
rootbinddn cn=admin,o=acme

scope sub

# Filter to AND with uid=%s
pam_filter objectclass=posixaccount

# The user ID attribute (defaults to uid)
pam_login_attribute uid

pam_password nds

ssl no

system-auth:

auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_ldap.so use_first_pass
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok
md5 shado
w
password    sufficient    /lib/security/pam_ldap.so use_authtok
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_mkhomedir.so skel=/etc/skel/
umask=0
077
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_ldap.so

If I create a ldif file:

dn: cn=foo,ou=stuttgart,o=acme
changetype: modify
userPassword: foobar

and use ldapmodify:

ldapmodify -x -D cn=root,ou=stuttgart,o=acme -w ****** -v < /tmp/foo

it works. 

Any ideas?

regards
	Stefan
-- 
--------------------------------------------------------------------
Stefan Völkel                            stefan.voelkel@xxxxxxxxxxxx
Millenux GmbH                              mobile: +49.170.79177.17
Lilienthalstraße 2                          phone: +49.711.88770.300
70825 Stuttgart-Korntal                       fax: +49.711.88770.349
     -= linux without limits -=- http://linux.zSeries.org/ =-
Attachment:
signature.asc

Description: This is a digitally signed message part