password change does not work: LDAP, sssd, nss or pam error?
Rick Stevens
ricks at nerd.com
Wed Oct 6 23:30:44 UTC 2010
On 10/06/2010 04:06 PM, Stephen Gallagher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/06/2010 04:28 PM, Volker Potworowski wrote:
>> Hallo zusammen,
>>
>> am Mittwoch, 6. Oktober 2010 schrieb Stephen Gallagher:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 10/06/2010 08:28 AM, Volker Potworowski wrote:
>>>> Oct 6 12:18:43 thal passwd: pam_sss(passwd:chauthtok): Password change
>>>> failed for user vp: 28 (Module is unknown)
>>>
>>> This error seems to imply that your LDAP server doesn't have the
>>> password-change extended operation enabled.
>>>
>>> You'll have to check the documentation for OpenLDAP for information on
>>> how to set up the LDAPv3 Password Modify (RFC 3062) extended operation.
>>
>> I have the directive
>>
>> pam_password exop
>>
>> in /etc/ldap.conf. Hope this is enough (but doesn't work anyway).
>>
>> When I debug slapd (with -d 128) while trying to change the password I see:
>>
>> slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1
>> => access_allowed: result not in cache (userPassword)
>> => access_allowed: auth access to "uid=vp,ou=People,dc=teraphim,dc=de"
>> "userPassword" requested
>> => slap_access_allowed: backend default auth access granted to "(anonymous)"
>> => access_allowed: auth access granted by read(=rscxd)
>> slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1
>> => bdb_entry_get: found entry: "uid=vp,ou=people,dc=teraphim,dc=de"
>> => access_allowed: result not in cache (userPassword)
>> => access_allowed: auth access to "uid=vp,ou=People,dc=teraphim,dc=de"
>> "userPassword" requested
>> => slap_access_allowed: backend default auth access granted to
>> "uid=vp,ou=People,dc=teraphim,dc=de"
>> => access_allowed: auth access granted by read(=rscxd)
>> => access_allowed: backend default write access denied to
>> "uid=vp,ou=People,dc=teraphim,dc=de"
>>
>>
>> That seems to me that the user does not have the right to right access the
>> password. My slapd.conf includes
>>
>> access to attrs=userPassword
>> by self write
>> by anonymous auth
>> by dn.base="cn=Manager,dc=teraphim,dc=de" write
>> by * none
>>
>> Any ideas?
>>
>> Cheers
>> Volker
>
>
> This is a server-side configuration issue. Probably you want to be
> asking on the openldap-software mailing list. However, a quick Google
> search revealed this thread which is likely relevant to you:
> http://www.openldap.org/lists/openldap-software/200606/msg00021.html
Yes, and I think what you need is something like:
access to attrs=userPassword
by dn="cn=manager,dc=teraphim,dc=de" write
by anonymous auth
by self write
by * none
IIRC, the ACLs are processsed from top to bottom and you need to auth
before you are granted write privilege. In other words, swap the order
of your "by self" and "by anonymous" lines.
I could be wrong.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, C2 Hosting ricks at nerd.com -
- AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 -
- -
- Huked on foniks reely wurked for me! -
----------------------------------------------------------------------
More information about the users
mailing list