"passwd" by root for user fails with sssd,pam, ldap
Augustin Wolf
augustynwilk at gmail.com
Sat Jul 20 12:43:59 UTC 2013
On 20 July 2013 10:52, William Brown <william at firstyear.id.au> wrote:
>> For now, LDAP ACL was "turned off" - every user has manage permission,
> Each user will have permission on their own ldap object they bind to, to change their passwords.
> Root may not be able to bind to ldap, or roots object doesn't have the acl to modify the password attr on the user's object.
It is not entirely true. With ACL as above, or commonly used ACL:
to userPassword by self write by * auth
it is true, but users tend to forgot their passwords, and You don't
have to give them write permission to yserPassword attribute. Now
there need to be some other way for administrator to reset users
passwords. Command "passwd" is most common, and doesn't require admin
to remember user DN.
> What ldap server are you using? You may consider contacting thier mailing lists for help.
>[root at ldap ~]# cat /etc/openldap/ldap.conf |grep -ve "^#"|grep -ve "^$"
>> Configs, logs, etc are in here: http://fpaste.org/26708/
it is openldap. thanks, I will.
> Sincerely,
> William
Thanks for reply
More information about the users
mailing list