Hi All,
I setup Openldap server on RHEL5, import info from /etc/password into LDAP database. Now I can log on using Openldap accounts (user1), but I don't know how to change password. Could you show me how to do that ? Command "passwd" only works with local accounts.
Thank you and best regards.
-------------------------------
Last login: Tue Nov 24 23:15:48 2009
Could not chdir to home directory /home/user1: No such file or directory
-bash-3.2$ passwd
Changing password for user user1.
passwd: Authentication token manipulation error
-bash-3.2$

You need a PAM module for passwd....
Look at this: http://mandrivausers.org/index.php?/...ange-password/

Thank you. I'll try.

I tried using the PAM settings from the mandriva article, but no luck.

I still get:
LDAP password information update failed: Insufficient access.

(The problem seems to have been around for almost 10 years (doing a google search), but just can't find a solution. I've modified the slapd.conf to allow self access to userpassword, which seems to be what everyone recommends, but still no luck).

I've tried all sorts of variations of the ACL list, but still can't get it to change the password.

My LDAP Server log has the following:

vm0 slapd: conn=2 op=4 BIND dn="uid=me,ou=users,o=mas" mech=SIMPLE ssf=0
vm0 slapd: conn=2 op=4 RESULT tag=97 err=0 text= Jan 7 33:25 vm001 slapd[16539]: conn=2 op=5 MOD dn="uid=me,ou=users,o=mas"
vm0 slapd: conn=2 op=5 MOD attr=userPassword
vm0 slapd: => access_allowed: backend default write access denied to "uid=me,ou=users,o=mas"


I've tried adding

access to attrs=userPassword,shadowLastChange
by self write
by anonymous auth
by * none


To both the global directive and the specific directive for the DB,but both give the same result.

Hmmm. Can't quite recall, but I believe there is something about how LDAP is setup on the client, whether the client has root/admin access for such things. Unfortunately, OpenLDAP is a much modified beast, so you may need more expert assistance than I can offer you.
A suggestion: Try setting up a test client, maybe a vm, and configure it for LDAP access to your server, and note all the steps you need to get it working. The client may be the problem...
Also, just to check, what type of clients are bound to the server? Linux-distro, Windows?

Just noticed this: what backend are you using? It should really only be the DB itself?

This looks very relevant to your situation: http://www.openldap.org/lists/openld.../msg00165.html

I found my problem. When changing the ACL, I had originally copied the default line from the main section of the file into my dabatase section. That line included a space as the begining. I also included a space at the start my access line as well (since the stuff that was already there had it).

I needed to delete the space before the 'access' directive, once I did this for both entries, the problem went away, and user accounts are able to change passwords:

(The space means that it is a continuation of the previous line, so for 'by' lines it is appropriate).

thanks,
James

excellent, glad you got sorted...

palladin68

thanks a lot

your code

helped me to be able to change password for users