Re: pam_ldap/eDirectory password change fails.

[John Stucki <jstucki@xxxxxxxxxxxxx>]

I've been trying to get eDirectory 8.7 & pam_ldap to work for a while. 
I am able to authenticate, but I still have to have entries in 
/etc/passwd file for my users, did you get it to work without having to 
put user entries in the /etc/passwd file?

Stefan Voelkel wrote:
> Hello,
>
> I am using eDirectory 8.7 and pam_ldap successfully to authenticate
> users.
>
> But as root I can not change user passwords (whereas user I can change
> my own password):
>
> root@xxxxxxx~# passwd foo
> Changing password for user foo.
> New password:
> BAD PASSWORD: it is based on a dictionary word
> Retype new password:
> LDAP password information update failed: Unknown error
>
> passwd: Permission denied
>
> Syslog tells me:
>
> Jun 16 07:50:12 dhcp233 passwd(pam_unix)[969]: user "foo" does not exist
> in /etc/passwd or NIS
> Jun 16 07:50:22 dhcp233 passwd[969]: pam_ldap: ldap_modify_s DSA is
> unwilling to perform
>
> ldap.conf:
>
> host 127.0.0.1
>
> # The distinguished name of the search base.
> base ou=stuttgart,o=acme
>
> binddn cn=root,ou=stuttgart,o=acme
> bindpw *****
> rootbinddn cn=admin,o=acme
>
> scope sub
>
> # Filter to AND with uid=%s
> pam_filter objectclass=posixaccount
>
> # The user ID attribute (defaults to uid)
> pam_login_attribute uid
>
> pam_password nds
>
> ssl no
>
>
> system-auth:
>
> auth        required      /lib/security/pam_env.so
> auth        sufficient    /lib/security/pam_unix.so likeauth nullok
> auth        sufficient    /lib/security/pam_ldap.so use_first_pass
> auth        required      /lib/security/pam_deny.so
>
> account     required      /lib/security/pam_unix.so
>
> password    required      /lib/security/pam_cracklib.so retry=3 type=
> password    sufficient    /lib/security/pam_unix.so nullok use_authtok
> md5 shado
> w
> password    sufficient    /lib/security/pam_ldap.so use_authtok
> password    required      /lib/security/pam_deny.so
>
> session     required      /lib/security/pam_mkhomedir.so skel=/etc/skel/
> umask=0
> 077
> session     required      /lib/security/pam_limits.so
> session     required      /lib/security/pam_unix.so
> session     optional      /lib/security/pam_ldap.so
>
>
> If I create a ldif file:
>
> dn: cn=foo,ou=stuttgart,o=acme
> changetype: modify
> userPassword: foobar
>
>
> and use ldapmodify:
>
> ldapmodify -x -D cn=root,ou=stuttgart,o=acme -w ****** -v < /tmp/foo
>
>
> it works. 
>
> Any ideas?
>
> regards
> 	Stefan


--
John T. Stucki                                          Work Address:
Network Administrator, IT Department                    40 West 4th 
Street - Room 515
Stern School of Business, New York University           New York, NY  10012
E-mail: jstucki@xxxxxxxxxxxxx                           Phone: 212.998.0160
Web: http://www.stern.nyu.edu/~jstucki                  Fax: 212.995.4236



_______________________________________________

Pam-list@xxxxxxxxxx
https://listman.redhat.com/mailman/listinfo/pam-list