LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
LinkBack Search this Thread
Old 11-24-2009, 03:23 AM   #1
cnzj
LQ Newbie
 
Registered: May 2009
Posts: 2

Rep: Reputation: 0
RHEL 5 - User can't change password for OpenLDAP account


Hi All,
I setup Openldap server on RHEL5, import info from /etc/password into LDAP database. Now I can log on using Openldap accounts (user1), but I don't know how to change password. Could you show me how to do that ? Command "passwd" only works with local accounts.
Thank you and best regards.
-------------------------------
Last login: Tue Nov 24 23:15:48 2009
Could not chdir to home directory /home/user1: No such file or directory
-bash-3.2$ passwd
Changing password for user user1.
passwd: Authentication token manipulation error
-bash-3.2$
 
Old 11-24-2009, 10:12 PM   #2
irishbitte
Senior Member
 
Registered: Oct 2007
Location: Brighton, UK
Distribution: Ubuntu Hardy, Ubuntu Jaunty, Eeebuntu, Debian, SME-Server
Posts: 1,213
Blog Entries: 1

Rep: Reputation: 82
You need a PAM module for passwd....
Look at this: http://mandrivausers.org/index.php?/...ange-password/

Last edited by irishbitte; 11-24-2009 at 10:15 PM.
 
Old 11-25-2009, 03:58 AM   #3
cnzj
LQ Newbie
 
Registered: May 2009
Posts: 2

Original Poster
Rep: Reputation: 0
Thank you. I'll try.
 
Old 01-06-2010, 12:45 AM   #4
palladin68
LQ Newbie
 
Registered: Jan 2010
Posts: 3

Rep: Reputation: 0
No luck

I tried using the PAM settings from the mandriva article, but no luck.

I still get:
LDAP password information update failed: Insufficient access.

(The problem seems to have been around for almost 10 years (doing a google search), but just can't find a solution. I've modified the slapd.conf to allow self access to userpassword, which seems to be what everyone recommends, but still no luck).
 
Old 01-06-2010, 04:52 AM   #5
palladin68
LQ Newbie
 
Registered: Jan 2010
Posts: 3

Rep: Reputation: 0
I've tried all sorts of variations of the ACL list, but still can't get it to change the password.

My LDAP Server log has the following:

vm0 slapd: conn=2 op=4 BIND dn="uid=me,ou=users,o=mas" mech=SIMPLE ssf=0
vm0 slapd: conn=2 op=4 RESULT tag=97 err=0 text= Jan 7 33:25 vm001 slapd[16539]: conn=2 op=5 MOD dn="uid=me,ou=users,o=mas"
vm0 slapd: conn=2 op=5 MOD attr=userPassword
vm0 slapd: => access_allowed: backend default write access denied to "uid=me,ou=users,o=mas"


I've tried adding

access to attrs=userPassword,shadowLastChange
by self write
by anonymous auth
by * none


To both the global directive and the specific directive for the DB,but both give the same result.
 
Old 01-08-2010, 09:37 PM   #6
irishbitte
Senior Member
 
Registered: Oct 2007
Location: Brighton, UK
Distribution: Ubuntu Hardy, Ubuntu Jaunty, Eeebuntu, Debian, SME-Server
Posts: 1,213
Blog Entries: 1

Rep: Reputation: 82
Hmmm. Can't quite recall, but I believe there is something about how LDAP is setup on the client, whether the client has root/admin access for such things. Unfortunately, OpenLDAP is a much modified beast, so you may need more expert assistance than I can offer you.
A suggestion: Try setting up a test client, maybe a vm, and configure it for LDAP access to your server, and note all the steps you need to get it working. The client may be the problem...
Also, just to check, what type of clients are bound to the server? Linux-distro, Windows?
 
Old 01-08-2010, 09:43 PM   #7
irishbitte
Senior Member
 
Registered: Oct 2007
Location: Brighton, UK
Distribution: Ubuntu Hardy, Ubuntu Jaunty, Eeebuntu, Debian, SME-Server
Posts: 1,213
Blog Entries: 1

Rep: Reputation: 82
Just noticed this:
Quote:
backend default write access denied to "uid=me,ou=users,o=mas
what backend are you using? It should really only be the DB itself?
 
Old 01-08-2010, 09:50 PM   #8
irishbitte
Senior Member
 
Registered: Oct 2007
Location: Brighton, UK
Distribution: Ubuntu Hardy, Ubuntu Jaunty, Eeebuntu, Debian, SME-Server
Posts: 1,213
Blog Entries: 1

Rep: Reputation: 82
This looks very relevant to your situation: http://www.openldap.org/lists/openld.../msg00165.html
 
Old 01-09-2010, 05:52 AM   #9
palladin68
LQ Newbie
 
Registered: Jan 2010
Posts: 3

Rep: Reputation: 0
Solution

I found my problem. When changing the ACL, I had originally copied the default line from the main section of the file into my dabatase section. That line included a space as the begining. I also included a space at the start my access line as well (since the stuff that was already there had it).

I needed to delete the space before the 'access' directive, once I did this for both entries, the problem went away, and user accounts are able to change passwords:

Code:
access to attrs=userPassword,shadowLastChange
  by self write
  by anonymous auth
  by * none
access to * 
  by self write
  by * read
(The space means that it is a continuation of the previous line, so for 'by' lines it is appropriate).

thanks,
James
 
Old 01-10-2010, 02:07 PM   #10
irishbitte
Senior Member
 
Registered: Oct 2007
Location: Brighton, UK
Distribution: Ubuntu Hardy, Ubuntu Jaunty, Eeebuntu, Debian, SME-Server
Posts: 1,213
Blog Entries: 1

Rep: Reputation: 82
excellent, glad you got sorted...
 
Old 01-18-2011, 06:09 PM   #11
karlochacon
Member
 
Registered: Dec 2006
Posts: 107

Rep: Reputation: 17
Quote:
Originally Posted by palladin68 View Post
I found my problem. When changing the ACL, I had originally copied the default line from the main section of the file into my dabatase section. That line included a space as the begining. I also included a space at the start my access line as well (since the stuff that was already there had it).

I needed to delete the space before the 'access' directive, once I did this for both entries, the problem went away, and user accounts are able to change passwords:

Code:
access to attrs=userPassword,shadowLastChange
  by self write
  by anonymous auth
  by * none
access to * 
  by self write
  by * read
(The space means that it is a continuation of the previous line, so for 'by' lines it is appropriate).

thanks,
James
palladin68

thanks a lot

your code

Code:
access to attrs=userPassword,shadowLastChange
  by self write
  by anonymous auth
  by * none
access to * 
  by self write
  by * read
helped me to be able to change password for users
 
  


Reply

Tags
solution


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Password change with OpenLDAP 2.4.11 john_es Linux - Server 2 03-13-2009 06:11 AM
Change_passwd plugin for SquirrelMail does not change user account password kaplan71 Linux - Software 0 04-18-2008 12:41 PM
Password Change in SquirrelMail did not propogate to user login account kaplan71 Linux - Software 0 03-28-2007 08:48 AM
Can unlock screen with root password in my user account - want to change this sm1 Linux - Newbie 2 07-24-2005 05:54 AM
How can I change e-mail password(or linux account password) with php in website?? yusuf Programming 1 05-28-2004 09:39 AM


All times are GMT -5. The time now is 01:11 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration