Hi!
So I can into yet another pot-hole in the road to LDAP bliss...
We have a root suffix in our directory that stores the basic Posix attributes including password, I've been able to configure my client to use ldap for directory services, and authenticate against my replica's, so far so good! Then I tried to change my users password .. and thats where I started getting a bit hung up..
At first I thought that it was because my replicas weren't sending the update request/ referrals back to the masters. (We have two masters that sit behind four consumers)
Then I decided to change my ldap.conf files to point directly to my masters.... but I still receaved the same errors "Can't contact LDAP Server" , which was strange since I can do ldap searches against it all day, and even bind to the servers to do searches! and Insufficient write privileges, which made me think that maybe it was an ACI.. but I have selfwrite enabled for the userPassword attribute...
Here's the output of my failed attempt to change my user's password after logging in successfully to the server..
Changing password for user foo. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information update failed: Can't contact LDAP server Insufficient 'write' privilege to the 'userPassword' attribute of entry 'uid=foo,ou=people,dc=dept,dc=school,dc=edu'.
passwd: Permission denied
If anyone has any thought I'd be grateful! I'm pretty perplexed!
Best,
Tim
Tim Hartmann wrote:
Hi!
So I can into yet another pot-hole in the road to LDAP bliss...
We have a root suffix in our directory that stores the basic Posix attributes including password, I've been able to configure my client to use ldap for directory services, and authenticate against my replica's, so far so good! Then I tried to change my users password .. and thats where I started getting a bit hung up..
At first I thought that it was because my replicas weren't sending the update request/ referrals back to the masters. (We have two masters that sit behind four consumers)
Then I decided to change my ldap.conf files to point directly to my masters.... but I still receaved the same errors "Can't contact LDAP Server" , which was strange since I can do ldap searches against it all day, and even bind to the servers to do searches! and Insufficient write privileges, which made me think that maybe it was an ACI.. but I have selfwrite enabled for the userPassword attribute...
Here's the output of my failed attempt to change my user's password after logging in successfully to the server..
Changing password for user foo. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information update failed: Can't contact LDAP server Insufficient 'write' privilege to the 'userPassword' attribute of entry 'uid=foo,ou=people,dc=dept,dc=school,dc=edu'.
passwd: Permission denied
What do your LDAP server access and error logs show at the time of the attempted password change?
If anyone has any thought I'd be grateful! I'm pretty perplexed!
Best,
Tim
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
This is what I see in access from my master:
I don't see any output from error...
[23/Jan/2009:21:12:08 -0500] conn=1939 fd=67 slot=67 SSL connection from 140.247.35.169 to 140.247.30.52 [23/Jan/2009:21:12:08 -0500] conn=1939 SSL 256-bit AES [23/Jan/2009:21:12:08 -0500] conn=1939 op=0 BIND dn="" method=128 version=3 [23/Jan/2009:21:12:08 -0500] conn=1939 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [23/Jan/2009:21:12:08 -0500] conn=1939 op=1 SRCH base="dc=dept,dc=school,dc=edu" scope=2 filter="(&(objectClass=posixAccount)(uidNumber=23030))" attrs="uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass" [23/Jan/2009:21:12:08 -0500] conn=1939 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [23/Jan/2009:21:12:08 -0500] conn=1939 op=2 SRCH base="dc=dept,dc=school,dc=edu" scope=2 filter="(&(objectClass=posixAccount)(uid=foo))" attrs="uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass" [23/Jan/2009:21:12:08 -0500] conn=1939 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [23/Jan/2009:21:12:08 -0500] conn=1940 fd=68 slot=68 SSL connection from 140.247.35.169 to 140.247.30.52 [23/Jan/2009:21:12:08 -0500] conn=1940 SSL 256-bit AES [23/Jan/2009:21:12:08 -0500] conn=1940 op=0 BIND dn="" method=128 version=3 [23/Jan/2009:21:12:08 -0500] conn=1940 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [23/Jan/2009:21:12:08 -0500] conn=1940 op=1 SRCH base="dc=dept,dc=school,dc=edu" scope=2 filter="(uid=foo)" attrs=ALL [23/Jan/2009:21:12:08 -0500] conn=1940 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [23/Jan/2009:21:12:13 -0500] conn=1940 op=2 BIND dn="uid=foo,ou=People,dc=dept,dc=school,dc=edu" method=128 version=3 [23/Jan/2009:21:12:13 -0500] conn=1940 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=foo,ou=people,dc=dept,dc=school,dc=edu" [23/Jan/2009:21:12:13 -0500] conn=1940 op=3 BIND dn="" method=128 version=3 [23/Jan/2009:21:12:13 -0500] conn=1940 op=3 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [23/Jan/2009:21:12:18 -0500] conn=1939 op=3 SRCH base="dc=dept,dc=school,dc=edu" scope=2 filter="(&(objectClass=posixAccount)(uidNumber=23030))" attrs="uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass" [23/Jan/2009:21:12:18 -0500] conn=1939 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [23/Jan/2009:21:12:21 -0500] conn=1940 op=4 BIND dn="uid=foo,ou=People,dc=dept,dc=school,dc=edu" method=128 version=3 [23/Jan/2009:21:12:21 -0500] conn=1940 op=4 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=foo,ou=people,dc=dept,dc=school,dc=edu" [23/Jan/2009:21:12:21 -0500] conn=1940 op=5 RESULT err=50 tag=103 nentries=0 etime=0
George Holbert wrote:
Tim Hartmann wrote:
Hi!
So I can into yet another pot-hole in the road to LDAP bliss... We have a root suffix in our directory that stores the basic Posix attributes including password, I've been able to configure my client to use ldap for directory services, and authenticate against my replica's, so far so good! Then I tried to change my users password .. and thats where I started getting a bit hung up..
At first I thought that it was because my replicas weren't sending the update request/ referrals back to the masters. (We have two masters that sit behind four consumers)
Then I decided to change my ldap.conf files to point directly to my masters.... but I still receaved the same errors "Can't contact LDAP Server" , which was strange since I can do ldap searches against it all day, and even bind to the servers to do searches! and Insufficient write privileges, which made me think that maybe it was an ACI.. but I have selfwrite enabled for the userPassword attribute...
Here's the output of my failed attempt to change my user's password after logging in successfully to the server..
Changing password for user foo. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information update failed: Can't contact LDAP server Insufficient 'write' privilege to the 'userPassword' attribute of entry 'uid=foo,ou=people,dc=dept,dc=school,dc=edu'.
passwd: Permission denied
What do your LDAP server access and error logs show at the time of the attempted password change?
If anyone has any thought I'd be grateful! I'm pretty perplexed!
Best,
Tim
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Tim Hartmann wrote:
This is what I see in access from my master:
I don't see any output from error...
[23/Jan/2009:21:12:08 -0500] conn=1939 fd=67 slot=67 SSL connection from 140.247.35.169 to 140.247.30.52 [23/Jan/2009:21:12:08 -0500] conn=1939 SSL 256-bit AES [23/Jan/2009:21:12:08 -0500] conn=1939 op=0 BIND dn="" method=128 version=3 [23/Jan/2009:21:12:08 -0500] conn=1939 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [23/Jan/2009:21:12:08 -0500] conn=1939 op=1 SRCH base="dc=dept,dc=school,dc=edu" scope=2 filter="(&(objectClass=posixAccount)(uidNumber=23030))" attrs="uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass" [23/Jan/2009:21:12:08 -0500] conn=1939 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [23/Jan/2009:21:12:08 -0500] conn=1939 op=2 SRCH base="dc=dept,dc=school,dc=edu" scope=2 filter="(&(objectClass=posixAccount)(uid=foo))" attrs="uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass" [23/Jan/2009:21:12:08 -0500] conn=1939 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [23/Jan/2009:21:12:08 -0500] conn=1940 fd=68 slot=68 SSL connection from 140.247.35.169 to 140.247.30.52 [23/Jan/2009:21:12:08 -0500] conn=1940 SSL 256-bit AES [23/Jan/2009:21:12:08 -0500] conn=1940 op=0 BIND dn="" method=128 version=3 [23/Jan/2009:21:12:08 -0500] conn=1940 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [23/Jan/2009:21:12:08 -0500] conn=1940 op=1 SRCH base="dc=dept,dc=school,dc=edu" scope=2 filter="(uid=foo)" attrs=ALL [23/Jan/2009:21:12:08 -0500] conn=1940 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [23/Jan/2009:21:12:13 -0500] conn=1940 op=2 BIND dn="uid=foo,ou=People,dc=dept,dc=school,dc=edu" method=128 version=3 [23/Jan/2009:21:12:13 -0500] conn=1940 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=foo,ou=people,dc=dept,dc=school,dc=edu" [23/Jan/2009:21:12:13 -0500] conn=1940 op=3 BIND dn="" method=128 version=3 [23/Jan/2009:21:12:13 -0500] conn=1940 op=3 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [23/Jan/2009:21:12:18 -0500] conn=1939 op=3 SRCH base="dc=dept,dc=school,dc=edu" scope=2 filter="(&(objectClass=posixAccount)(uidNumber=23030))" attrs="uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass" [23/Jan/2009:21:12:18 -0500] conn=1939 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [23/Jan/2009:21:12:21 -0500] conn=1940 op=4 BIND dn="uid=foo,ou=People,dc=dept,dc=school,dc=edu" method=128 version=3 [23/Jan/2009:21:12:21 -0500] conn=1940 op=4 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=foo,ou=people,dc=dept,dc=school,dc=edu" [23/Jan/2009:21:12:21 -0500] conn=1940 op=5 RESULT err=50 tag=103 nentries=0 etime=0
We're missing the actual request that's causing the problem - there is a line for conn=1940 op=5 RESULT, but there is no line that has the actual operation e.g. conn=1940 op=5 MOD dn="uid=foo,..." etc.
George Holbert wrote:
Tim Hartmann wrote:
Hi!
So I can into yet another pot-hole in the road to LDAP bliss... We have a root suffix in our directory that stores the basic Posix attributes including password, I've been able to configure my client to use ldap for directory services, and authenticate against my replica's, so far so good! Then I tried to change my users password .. and thats where I started getting a bit hung up..
At first I thought that it was because my replicas weren't sending the update request/ referrals back to the masters. (We have two masters that sit behind four consumers)
Then I decided to change my ldap.conf files to point directly to my masters.... but I still receaved the same errors "Can't contact LDAP Server" , which was strange since I can do ldap searches against it all day, and even bind to the servers to do searches! and Insufficient write privileges, which made me think that maybe it was an ACI.. but I have selfwrite enabled for the userPassword attribute...
Here's the output of my failed attempt to change my user's password after logging in successfully to the server..
Changing password for user foo. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information update failed: Can't contact LDAP server Insufficient 'write' privilege to the 'userPassword' attribute of entry 'uid=foo,ou=people,dc=dept,dc=school,dc=edu'.
passwd: Permission denied
What do your LDAP server access and error logs show at the time of the attempted password change?
If anyone has any thought I'd be grateful! I'm pretty perplexed!
Best,
Tim
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Guys,
I think i've gotten it!
So the two things that looked like I hadn't set up correctly were this:
First:
ACL's on self write. I'd locked those down so tight that I wasn't able to actually write to my own user attribute.
Second:
The referrals under the Configurations Tab. Configurations Tab -> Data -> dc=foo,dc=bar -> referrals tab
were set to refer only to ldap://master.server:389/dc=foo,dc=bar
only
Once i added a referral to port 636, I was able to update my user password correctly, and through the Replica!
This Documentation was helpful in getting that set up correctly!
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Configuring_Directory_D...
Thanks for all the help troubleshooting this everyone!
Tim
Rich Megginson wrote:
Tim Hartmann wrote:
This is what I see in access from my master:
I don't see any output from error...
[23/Jan/2009:21:12:08 -0500] conn=1939 fd=67 slot=67 SSL connection from 140.247.35.169 to 140.247.30.52 [23/Jan/2009:21:12:08 -0500] conn=1939 SSL 256-bit AES [23/Jan/2009:21:12:08 -0500] conn=1939 op=0 BIND dn="" method=128 version=3 [23/Jan/2009:21:12:08 -0500] conn=1939 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [23/Jan/2009:21:12:08 -0500] conn=1939 op=1 SRCH base="dc=dept,dc=school,dc=edu" scope=2 filter="(&(objectClass=posixAccount)(uidNumber=23030))" attrs="uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass" [23/Jan/2009:21:12:08 -0500] conn=1939 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [23/Jan/2009:21:12:08 -0500] conn=1939 op=2 SRCH base="dc=dept,dc=school,dc=edu" scope=2 filter="(&(objectClass=posixAccount)(uid=foo))" attrs="uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass" [23/Jan/2009:21:12:08 -0500] conn=1939 op=2 RESULT err=0 tag=101 nentries=1 etime=0 [23/Jan/2009:21:12:08 -0500] conn=1940 fd=68 slot=68 SSL connection from 140.247.35.169 to 140.247.30.52 [23/Jan/2009:21:12:08 -0500] conn=1940 SSL 256-bit AES [23/Jan/2009:21:12:08 -0500] conn=1940 op=0 BIND dn="" method=128 version=3 [23/Jan/2009:21:12:08 -0500] conn=1940 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [23/Jan/2009:21:12:08 -0500] conn=1940 op=1 SRCH base="dc=dept,dc=school,dc=edu" scope=2 filter="(uid=foo)" attrs=ALL [23/Jan/2009:21:12:08 -0500] conn=1940 op=1 RESULT err=0 tag=101 nentries=1 etime=0 [23/Jan/2009:21:12:13 -0500] conn=1940 op=2 BIND dn="uid=foo,ou=People,dc=dept,dc=school,dc=edu" method=128 version=3 [23/Jan/2009:21:12:13 -0500] conn=1940 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=foo,ou=people,dc=dept,dc=school,dc=edu" [23/Jan/2009:21:12:13 -0500] conn=1940 op=3 BIND dn="" method=128 version=3 [23/Jan/2009:21:12:13 -0500] conn=1940 op=3 RESULT err=0 tag=97 nentries=0 etime=0 dn="" [23/Jan/2009:21:12:18 -0500] conn=1939 op=3 SRCH base="dc=dept,dc=school,dc=edu" scope=2 filter="(&(objectClass=posixAccount)(uidNumber=23030))" attrs="uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass" [23/Jan/2009:21:12:18 -0500] conn=1939 op=3 RESULT err=0 tag=101 nentries=1 etime=0 [23/Jan/2009:21:12:21 -0500] conn=1940 op=4 BIND dn="uid=foo,ou=People,dc=dept,dc=school,dc=edu" method=128 version=3 [23/Jan/2009:21:12:21 -0500] conn=1940 op=4 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=foo,ou=people,dc=dept,dc=school,dc=edu" [23/Jan/2009:21:12:21 -0500] conn=1940 op=5 RESULT err=50 tag=103 nentries=0 etime=0
We're missing the actual request that's causing the problem - there is a line for conn=1940 op=5 RESULT, but there is no line that has the actual operation e.g. conn=1940 op=5 MOD dn="uid=foo,..." etc.
George Holbert wrote:
Tim Hartmann wrote:
Hi!
So I can into yet another pot-hole in the road to LDAP bliss... We have a root suffix in our directory that stores the basic Posix attributes including password, I've been able to configure my client to use ldap for directory services, and authenticate against my replica's, so far so good! Then I tried to change my users password .. and thats where I started getting a bit hung up..
At first I thought that it was because my replicas weren't sending the update request/ referrals back to the masters. (We have two masters that sit behind four consumers)
Then I decided to change my ldap.conf files to point directly to my masters.... but I still receaved the same errors "Can't contact LDAP Server" , which was strange since I can do ldap searches against it all day, and even bind to the servers to do searches! and Insufficient write privileges, which made me think that maybe it was an ACI.. but I have selfwrite enabled for the userPassword attribute...
Here's the output of my failed attempt to change my user's password after logging in successfully to the server..
Changing password for user foo. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information update failed: Can't contact LDAP server Insufficient 'write' privilege to the 'userPassword' attribute of entry 'uid=foo,ou=people,dc=dept,dc=school,dc=edu'.
passwd: Permission denied
What do your LDAP server access and error logs show at the time of the attempted password change?
If anyone has any thought I'd be grateful! I'm pretty perplexed!
Best,
Tim
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
On Fri, 2009-01-23 at 20:11 -0500, Tim Hartmann wrote:
Hi!
So I can into yet another pot-hole in the road to LDAP bliss...
We have a root suffix in our directory that stores the basic Posix attributes including password, I've been able to configure my client to use ldap for directory services, and authenticate against my replica's, so far so good! Then I tried to change my users password .. and thats where I started getting a bit hung up..
At first I thought that it was because my replicas weren't sending the update request/ referrals back to the masters. (We have two masters that sit behind four consumers)
Then I decided to change my ldap.conf files to point directly to my masters.... but I still receaved the same errors "Can't contact LDAP Server" , which was strange since I can do ldap searches against it all day, and even bind to the servers to do searches! and Insufficient write privileges, which made me think that maybe it was an ACI.. but I have selfwrite enabled for the userPassword attribute...
Here's the output of my failed attempt to change my user's password after logging in successfully to the server..
Changing password for user foo. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information update failed: Can't contact LDAP server Insufficient 'write' privilege to the 'userPassword' attribute of entry 'uid=foo,ou=people,dc=dept,dc=school,dc=edu'.
passwd: Permission denied
If anyone has any thought I'd be grateful! I'm pretty perplexed!
<snip> I'm an LDAP ignoramus so take this for what it's worth -- is it possible it's a PAM configuration problem and not an LDAP or ldap.conf problem? - John
Could be, but the test server I'm using has a copy of the pam configs from a production server, that works fine in our OpenLDAP environment, I'm in the process of testing our new Directories Server in order to replace the old servers... So same OS, and the same config files... which is part of why I'm stumped! It's maddening being so close to the end of this project! :)
Best
Tim
John A. Sullivan III wrote:
On Fri, 2009-01-23 at 20:11 -0500, Tim Hartmann wrote:
Hi!
So I can into yet another pot-hole in the road to LDAP bliss...
We have a root suffix in our directory that stores the basic Posix attributes including password, I've been able to configure my client to use ldap for directory services, and authenticate against my replica's, so far so good! Then I tried to change my users password .. and thats where I started getting a bit hung up..
At first I thought that it was because my replicas weren't sending the update request/ referrals back to the masters. (We have two masters that sit behind four consumers)
Then I decided to change my ldap.conf files to point directly to my masters.... but I still receaved the same errors "Can't contact LDAP Server" , which was strange since I can do ldap searches against it all day, and even bind to the servers to do searches! and Insufficient write privileges, which made me think that maybe it was an ACI.. but I have selfwrite enabled for the userPassword attribute...
Here's the output of my failed attempt to change my user's password after logging in successfully to the server..
Changing password for user foo. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information update failed: Can't contact LDAP server Insufficient 'write' privilege to the 'userPassword' attribute of entry 'uid=foo,ou=people,dc=dept,dc=school,dc=edu'.
passwd: Permission denied
If anyone has any thought I'd be grateful! I'm pretty perplexed!
<snip> I'm an LDAP ignoramus so take this for what it's worth -- is it possible it's a PAM configuration problem and not an LDAP or ldap.conf problem? - John
Well, I made some progress on this!
In part it turns out that I had my ACI's set to tightly in my "enable self write for common attributes" ACI. So once I made some changes to that ACI I was able to update my user password so long as the client server was pointing at one of the Masters in /etc/ldap.conf and /etc/openldap.conf however, once I pointed those conf files back to my LDAP Replica's, I was back to getting the same errors!
One small step closer to LDAP bliss!
Tim
Tim Hartmann wrote:
Could be, but the test server I'm using has a copy of the pam configs from a production server, that works fine in our OpenLDAP environment, I'm in the process of testing our new Directories Server in order to replace the old servers... So same OS, and the same config files... which is part of why I'm stumped! It's maddening being so close to the end of this project! :)
Best
Tim
John A. Sullivan III wrote:
On Fri, 2009-01-23 at 20:11 -0500, Tim Hartmann wrote:
Hi!
So I can into yet another pot-hole in the road to LDAP bliss...
We have a root suffix in our directory that stores the basic Posix attributes including password, I've been able to configure my client to use ldap for directory services, and authenticate against my replica's, so far so good! Then I tried to change my users password .. and thats where I started getting a bit hung up..
At first I thought that it was because my replicas weren't sending the update request/ referrals back to the masters. (We have two masters that sit behind four consumers)
Then I decided to change my ldap.conf files to point directly to my masters.... but I still receaved the same errors "Can't contact LDAP Server" , which was strange since I can do ldap searches against it all day, and even bind to the servers to do searches! and Insufficient write privileges, which made me think that maybe it was an ACI.. but I have selfwrite enabled for the userPassword attribute...
Here's the output of my failed attempt to change my user's password after logging in successfully to the server..
Changing password for user foo. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information update failed: Can't contact LDAP server Insufficient 'write' privilege to the 'userPassword' attribute of entry 'uid=foo,ou=people,dc=dept,dc=school,dc=edu'.
passwd: Permission denied
If anyone has any thought I'd be grateful! I'm pretty perplexed!
<snip> I'm an LDAP ignoramus so take this for what it's worth -- is it possible it's a PAM configuration problem and not an LDAP or ldap.conf problem? - John
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
389-users@lists.fedoraproject.org
-
George Holbert -
Hartmann, Tim -
John A. Sullivan III -
Rich Megginson