LDAP change user pass on client
- by Sean
I am trying to allow ldap users to change their password on client machines. I have tried pam every which way I can think of /etc/ldap.conf & /etc/pam_ldap.conf, as well. At this point I'm stuck.
Client: Ubuntu 11.04
Server: Debian 6.0
The current output is this:
sobrien4@T-E700F-1:~$ passwd
passwd: Authentication service cannot retrieve authentication info
passwd: password unchanged
/var/log/auth.log gives this during the command:
May 9 10:49:06 T-E700F-1 passwd[18515]: pam_unix(passwd:chauthtok): user "sobrien4" does not exist in /etc/passwd
May 9 10:49:06 T-E700F-1 passwd[18515]: pam_ldap: ldap_simple_bind Can't contact LDAP server
May 9 10:49:06 T-E700F-1 passwd[18515]: pam_ldap: reconnecting to LDAP server...
May 9 10:49:06 T-E700F-1 passwd[18515]: pam_ldap: ldap_simple_bind Can't contact LDAP server
getent passwd |grep sobrien4 (note keeping short since testing with that account, however it outputs all ldap users):
sobrien4:Ffm1oHzwnLz0U:10000:12001:Sean O'Brien:/home/sobrien4:/bin/bash
getent group shows all ldap groups.
/etc/pam.d/common-password (Note this is just the most current, I have tried a lot of different options):
password required pam_cracklib.so retry=3 minlen=8 difok=3
password [success=1 default=ignore] pam_unix.so use_authtok md5
password required pam_ldap.so use_authtok
password required pam_permit.so
Popped open wireshark as well, the server & client are talking.
I have the password changing working on the server. I.E. the server that runs slapd, I can log in with the ldap user and change the passwords. I tried copying the working configs from the server initially and no dice.
I also tried cloning it, and just changing ip & host, and no go. My guess is that the client is not authorized by ip or hostname to change a pass.
Pertaining to the slapd conf, I saw this in a guide and tried it:
access to attrs=loginShell,gecos
by dn="cn=admin,dc=cengineering,dc=etb" write
by self write
by * read
access to *
by dn="cn=admin,dc=cengineering,dc=etb" write
by self write
by * read
So ldap seems to be working okay, just can't change the password.