help with ldap

Craig White craigwhite at azapple.com
Fri Apr 1 19:07:40 UTC 2011 

On Fri, 2011-04-01 at 17:50 +0200, Judith Flo Gaya wrote:
> Hello,
> 
> I'm trying for some days to get an ldap server working, but I'm stuck 
> with some issues ;( Some of them, I just worked them around, but there's 
> one I can't deal with, I can get a user to change it's password in a 
> client machine.
> 
> This is a RHEL 6 server with
> compat-openldap-2.4.19_2.3.43-15.el6.x86_64
> openldap-devel-2.4.19-15.el6.x86_64
> openldap-2.4.19-15.el6.x86_64
> openldap-servers-2.4.19-15.el6.x86_64
> openldap-clients-2.4.19-15.el6.x86_64
> 
> the slapd.conf interesting part:
> access to attrs=userPassword,shadowLastChange
>          by self write
>          by anonymous auth
>          by dn="cn=admin,dc=linux,dc=imppc,dc=org" write
>          by * none
> 
> access to *
>          by dn="cn=admin,dc=linux,dc=imppc,dc=org" write
>          by * read
> 
> access to *
>          by dn="cn=admin,dc=linux,dc=imppc,dc=org" write
>          by * read
> 
> 
> 
> This is the client rpms (fedora 14)
> openldap-2.4.22-7.fc14.x86_64
> openldap-devel-2.4.22-7.fc14.x86_64
> openldap-2.4.22-7.fc14.i686
> openldap-clients-2.4.22-7.fc14.x86_64
> 
> And the problem is this:
> client_machine-bash-4.1$ passwd
> Changing password for user user1.
> Enter login(LDAP) password:
> New password:
> Retype new password:
> LDAP password information update failed: Insufficient access
> passwd: Authentication token manipulation error
> 
> I have to mention that I had to made some changes in order to simply be
> able to query for a user. Ldapsearch worked but in order to do something 
> like :
> id user1
> or
> su - user1
> 
> I had to change /etc/sysconfig/authconfig with
> FORCELEGACY=yes
> #FORCELEGACY=no
> 
> In this way I have been able to modify /etc/nsswitch with ldap values
> when running authconfig-tui (otherwise it was only using sss and I 
> couldn't even be asked for the ldap password).
> 
> The point is the sss system. Without this entry (sss in nsswitch) I'm 
> not able to id or su, but if I don't put the ldap
> keyword, I'm not even asked for the Enter login(LDAP) password:
> but I'm asked for the "local" password which of course, doesn't exists, 
> so I get a nice "system error -4" because the system doesn't recognize it.
> 
> I don't know if I made myself clear enough, hope you can help me and I
> really thank you in advance for any help you could provide.
----
change your ACL's on the server...

access to attrs=userPassword,shadowLastChange
   by self write
   by anonymous auth
   by dn="cn=admin,dc=linux,dc=imppc,dc=org" write
   by * none
 
access to *
   by dn="cn=admin,dc=linux,dc=imppc,dc=org" write
   by anonymous auth
   by * read

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the users mailing list