We are successful at this in our environment as well although, our
configuration is a bit different. My guess about the problem you're
experiencing is that eDirectory doesn't know much about PAM but it does
know about LDAP. Executing the passwd command calls pam_unix then looks
up the nsswitch.conf and calls pam_ldap and tries to communicate with
the eDirectory DSA. Given the different password hashing algorithms on
UNIX and Netware/RSA, pam hands off something that eDirectory can't
interpret. But, eDirectory being LDAPv3 compliant will accept direct
LDAP calls via those utilities rather than pam_ldap.
In our environment we're using eDirectory 8.7 as the LDAP store and
RedHat 8.0 clients. We're not running slapd as it appears you are from
the ldap.conf you've submitted i.e. 127.0.0.1. Our ldap.conf looks like
this:
For TLS, port 389/tcp:
HOST testfs.ourdomain.com
BASE o=temp
ssl start_tls
pam_password md5
For SSL, port 636/tcp, you'll have to add some attributes because
authconfig does not:
HOST testfs.ourdomain.com
BASE o=temp
ssl on
sslpath /usr/share/ssl/certs/<serverDNS-cert>
pam_password md5
This allows for all authentication data passed on the wire to be
encrypted either via TLS or SSL. We also found that in order to get this
to work right we needed to edit the LDAP attributes on the user objects
with the following snapins, unixsnapin.jar and unixSnapinRes.jar found
at Novell's website in the c1unx85a.exe archive. Without these snapins
LDAP authentication doesn't work.
Finally I suppose a solution to your problem would be to run ConsoleOne
on a Linux machine and change the user password from that utility.
Albeit you'll have to run a GUI environment but you'll gain
administration of your entire tree from one utility.
Jeff Brown
UNIX System Administrator
Jefferson County, Colorado
>>> Stefan.Voelkel@xxxxxxxxxxxx 04/01/03 08:41AM >>>
Hello,
I am using eDirectory 8.7 and pam_ldap successfully to authenticate
users.
But as root I can not change user passwords (whereas user I can change
my own password):
root@xxxxxxx~# passwd foo
Changing password for user foo.
New password:
BAD PASSWORD: it is based on a dictionary word
Retype new password:
LDAP password information update failed: Unknown error
passwd: Permission denied
Syslog tells me:
Jun 16 07:50:12 dhcp233 passwd(pam_unix)[969]: user "foo" does not
exist
in /etc/passwd or NIS
Jun 16 07:50:22 dhcp233 passwd[969]: pam_ldap: ldap_modify_s DSA is
unwilling to perform
ldap.conf:
host 127.0.0.1
# The distinguished name of the search base.
base ou=stuttgart,o=acme
binddn cn=root,ou=stuttgart,o=acme
bindpw *****
rootbinddn cn=admin,o=acme
scope sub
# Filter to AND with uid=%s
pam_filter objectclass=posixaccount
# The user ID attribute (defaults to uid)
pam_login_attribute uid
pam_password nds
ssl no
system-auth:
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok
md5 shado
w
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_mkhomedir.so
skel=/etc/skel/
umask=0
077
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
session optional /lib/security/pam_ldap.so
If I create a ldif file:
dn: cn=foo,ou=stuttgart,o=acme
changetype: modify
userPassword: foobar
and use ldapmodify:
ldapmodify -x -D cn=root,ou=stuttgart,o=acme -w ****** -v < /tmp/foo
it works.
Any ideas?
regards
Stefan
--
--------------------------------------------------------------------
Stefan V÷lkel stefan.voelkel@xxxxxxxxxxxx
Millenux GmbH mobile: +49.170.79177.17
Lilienthalstra e 2 phone: +49.711.88770.300
70825 Stuttgart-Korntal fax: +49.711.88770.349
-= linux without limits -=- http://linux.zSeries.org/ =-
_______________________________________________
Pam-list@xxxxxxxxxx
https://listman.redhat.com/mailman/listinfo/pam-list
