password change over LDAP works only if TLS is disabled
Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
password change over LDAP works only if TLS is disabled
I try to setup a linux server (fedora core 2, kernel 2.6.10) to use LDAP as
the password repository.
The LDAP server is local to the server, and I manage to authenticate any
user or change their password with the following /etc/ldap.conf file:
host 127.0.0.1
base ou=people,dc=.......
port 2389
pam_password clear
sslpath /var/db/cert7.db
ssl off
But when enabling TLS (I have "ssl start_tls" as the last line above instead
of "ssl off"), I can still authenticate any user (that is I can telnet to the server
and see the authentication occuring on the LDAP server) but trying to change their password (as root, with the passwd command) always fails with this error message:
Authentication token manipulation error
I don't think the problem is on the directory side since I can bind or search over
TLS using at least 2 different LDAP clients/browsers.
I don't think the problem is in the PAM configuration since it works with TLS disabled,
so I don't know where to search anymore, it looks like a bug to me.
> Gerhard,
>
> I have solved a problem I reported a long time ago about
> the following (user cannot change own password):
>
> passwd: Authentication token manipulation error
>
> The solution was simply to chmod +s /usr/bin/passwd
You can try that but I am not sure.
--Abid Kazmi
-=-EDIT-=-
Quote:
but trying to change their password (as root, with the passwd command) always fails
Didn't notice the root there. That seems to be a serious error with your passd and shdw files. Will go indepth later. At school and bell has rung.
Last edited by securehack; 06-01-2005 at 01:13 PM.
I'd already googled a lot before posting that question, and thus I had already seen this
solution but since my /usr/bin/passwd file rights and ownership look OK (-r-s--x--x root root),
it's not the right solution in my case.
Moreover, in such a case, I think I would also have troubles changing the passwd over LDAP
without TLS enabled, which is not the case: just by adding a # at the beginning of the
"ssl start_tls line" in /etc/ldap.conf makes the whole thing works, while over TLS, I can't change
any passwd but can still authenticate (??!!...) .
Good luck at school anyway !
--Abid Kazmi
-=-EDIT-=-
Didn't notice the root there. That seems to be a serious error with your passd and shdw files. Will go indepth later. At school and bell has rung.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.