LDAP change user pass on client

Posted by Sean on Server Fault See other posts from Server Fault or by Sean
Published on 2011-05-09T15:17:32Z Indexed on 2012/10/13 3:39 UTC
Read the original article Hit count: 632

Filed under:
|

I am trying to allow ldap users to change their password on client machines. I have tried pam every which way I can think of /etc/ldap.conf & /etc/pam_ldap.conf, as well. At this point I'm stuck.

Client: Ubuntu 11.04
Server: Debian 6.0

The current output is this:

sobrien4@T-E700F-1:~$ passwd
passwd: Authentication service cannot retrieve authentication info
passwd: password unchanged

/var/log/auth.log gives this during the command:

May  9 10:49:06 T-E700F-1 passwd[18515]: pam_unix(passwd:chauthtok): user "sobrien4"  does not exist in /etc/passwd
May  9 10:49:06 T-E700F-1 passwd[18515]: pam_ldap: ldap_simple_bind Can't contact LDAP server
May  9 10:49:06 T-E700F-1 passwd[18515]: pam_ldap: reconnecting to LDAP server...
May  9 10:49:06 T-E700F-1 passwd[18515]: pam_ldap: ldap_simple_bind Can't contact LDAP server

getent passwd |grep sobrien4 (note keeping short since testing with that account, however it outputs all ldap users):

sobrien4:Ffm1oHzwnLz0U:10000:12001:Sean O'Brien:/home/sobrien4:/bin/bash 

getent group shows all ldap groups.

/etc/pam.d/common-password (Note this is just the most current, I have tried a lot of different options):

password   required   pam_cracklib.so retry=3 minlen=8 difok=3
password   [success=1 default=ignore] pam_unix.so use_authtok md5
password   required   pam_ldap.so use_authtok
password   required   pam_permit.so

Popped open wireshark as well, the server & client are talking.

I have the password changing working on the server. I.E. the server that runs slapd, I can log in with the ldap user and change the passwords. I tried copying the working configs from the server initially and no dice.

I also tried cloning it, and just changing ip & host, and no go. My guess is that the client is not authorized by ip or hostname to change a pass.

Pertaining to the slapd conf, I saw this in a guide and tried it:

access to attrs=loginShell,gecos
      by dn="cn=admin,dc=cengineering,dc=etb" write
      by self write
      by * read

access to *
          by dn="cn=admin,dc=cengineering,dc=etb" write
      by self write
      by * read

So ldap seems to be working okay, just can't change the password.

© Server Fault or respective owner

Related posts about ldap

Related posts about openldap