LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 10-04-2009, 02:28 PM   #1
cotton213
LQ Newbie
 
Registered: Dec 2004
Location: Michigan
Distribution: Slackware, Red Hat, Ubuntu
Posts: 23

Rep: Reputation: 1
LDAP in Slackware - do I need PAM to allow users to change passwords?


I have an LDAP server running (mostly) in Slackware 13. I can authenticate against it, but users cannot change their passwords. I admit I'm not sure I'm doing it right:

>ldappasswd
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
>

I am unclear on how SASL fits into everything. I have nss_ldap installed, of course, but it looks like it only works with {CRYPT} passwords (and is that even part of the problem). I have no ACL's defined.

I thought I read in some ancient post that I might need PAM to do anything besides query -- that is, I can auth with nss_ldap, but need PAM to change passwords. Can anyone confirm or deny? Is there a "proper" way to use LDAP with Slackware.

P.S. (not stricly Slack related) The ldappasswd man page (on linux.die.net) says this:
ldappasswd is neither designed nor intended to be a replacement for passwd(1) and should not be installed as such.
What on earth does this mean, and how does one properly change passwords when using ldap for authentication.

Barb
 
Old 10-04-2009, 08:25 PM   #2
irishbitte
Senior Member
 
Registered: Oct 2007
Location: Brighton, UK
Distribution: Ubuntu Hardy, Ubuntu Jaunty, Eeebuntu, Debian, SME-Server
Posts: 1,213
Blog Entries: 1

Rep: Reputation: 82
PAM: Pluggable Authentication Module. You need PAM modules in order to allow the local machine to manipulate external auth mechanisms, including, but not limited to: LDAP, Kerberos, NIS, Active Directory, and so forth. NSS_LDAP is the just a shortcut hack around getting LDAP auth working, but PAM is the real way to go.
My experience in this is using OpenLDAP on an ubuntu server with ubuntu clients.
 
0 members found this post helpful.
Old 10-04-2009, 08:29 PM   #3
irishbitte
Senior Member
 
Registered: Oct 2007
Location: Brighton, UK
Distribution: Ubuntu Hardy, Ubuntu Jaunty, Eeebuntu, Debian, SME-Server
Posts: 1,213
Blog Entries: 1

Rep: Reputation: 82
BTW this:
Quote:
ldappasswd is neither designed nor intended to be a replacement for passwd(1) and should not be installed as such.
means don't link ldappasswd to passwd on the LDAP clients! It's an insecure way of changing credentials in LDAP.

Simply put, if you have the client setup correctly bound to the LDAP server, changing passwords should be transparent to the user, they should not even know they are working from a server!
 
Old 10-04-2009, 08:30 PM   #4
irishbitte
Senior Member
 
Registered: Oct 2007
Location: Brighton, UK
Distribution: Ubuntu Hardy, Ubuntu Jaunty, Eeebuntu, Debian, SME-Server
Posts: 1,213
Blog Entries: 1

Rep: Reputation: 82
BTW this:
Quote:
ldappasswd is neither designed nor intended to be a replacement for passwd(1) and should not be installed as such.
means don't link ldappasswd to passwd on the LDAP clients! It's an insecure way of changing credentials in LDAP.

Simply put, if you have the client setup correctly bound to the LDAP server, changing passwords should be transparent to the user, they should not even know they are working from a server!
 
Old 12-02-2010, 04:15 PM   #5
PhantasyConcepts
LQ Newbie
 
Registered: May 2009
Posts: 17

Rep: Reputation: 3
Slackware and PAM

I have not used PAM at all. I also didn't use LDAP for authentication. I will have to finish building OpenLDAP and see if I can set it up as a directory for authentication. My guess is, and this is coming from working with an installation of Active Directory, you need to authenticate before changing the password, and the user in question must have authority to change the password in LDAP. Try logging in as root, and changing someone else's password once. If that works, work backwards from there. As yourself why root can change bob's password, but bob can't. Always start troubleshooting on the LDAP server to see if it is your connection or your server. When you get it working on the LDAP server, try it from a remote PC. Check your build options on OpenLDAP to be sure that it was built with support for ldapmodify and so forth. You may not have all of the required libraries, or be at the right version for them to work. I took a break from configuring my OpenLDAP box with Slackware, so I can't go into it now (and my break has been about a year so far!). I will have to get back into it when school goes on the next hiatus (the 20th or so) and let you know.
 
Old 12-02-2010, 04:17 PM   #6
PhantasyConcepts
LQ Newbie
 
Registered: May 2009
Posts: 17

Rep: Reputation: 3
Duh,

I just reread your post. The first time it asks you for a password, that means your CURRENT password. In other words, in order to change your password, you need to know the old one. For someone to reset a forgotten password, they need to be the LDAP owner (usually root).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ldap question with users and plan text passwords tuxtutorials Linux - Server 2 03-21-2009 12:32 AM
Allow LDAP users to change passwords graystarr Linux - Server 1 03-10-2009 05:20 PM
Allowing users to change their own passwords kaplan71 Linux - Security 3 03-08-2007 10:32 AM
Allowing users to change passwords on LDAP topcat Linux - General 10 09-16-2004 12:09 PM
problem with users trying to change passwords erikm103 Linux - General 1 03-10-2003 05:10 PM


All times are GMT -5. The time now is 11:19 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration