I have an LDAP server running (mostly) in Slackware 13. I can authenticate against it, but users cannot change their passwords. I admit I'm not sure I'm doing it right:

>ldappasswd
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
>

I am unclear on how SASL fits into everything. I have nss_ldap installed, of course, but it looks like it only works with {CRYPT} passwords (and is that even part of the problem). I have no ACL's defined.

I thought I read in some ancient post that I might need PAM to do anything besides query -- that is, I can auth with nss_ldap, but need PAM to change passwords. Can anyone confirm or deny? Is there a "proper" way to use LDAP with Slackware.

P.S. (not stricly Slack related) The ldappasswd man page (on linux.die.net) says this:

ldappasswd is neither designed nor intended to be a replacement for passwd(1) and should not be installed as such.

What on earth does this mean, and how does one properly change passwords when using ldap for authentication.

Barb

PAM: Pluggable Authentication Module. You need PAM modules in order to allow the local machine to manipulate external auth mechanisms, including, but not limited to: LDAP, Kerberos, NIS, Active Directory, and so forth. NSS_LDAP is the just a shortcut hack around getting LDAP auth working, but PAM is the real way to go.
My experience in this is using OpenLDAP on an ubuntu server with ubuntu clients.

0 members found this post helpful.

BTW this: means don't link ldappasswd to passwd on the LDAP clients! It's an insecure way of changing credentials in LDAP.

Simply put, if you have the client setup correctly bound to the LDAP server, changing passwords should be transparent to the user, they should not even know they are working from a server!

BTW this: means don't link ldappasswd to passwd on the LDAP clients! It's an insecure way of changing credentials in LDAP.

Simply put, if you have the client setup correctly bound to the LDAP server, changing passwords should be transparent to the user, they should not even know they are working from a server!

I have not used PAM at all. I also didn't use LDAP for authentication. I will have to finish building OpenLDAP and see if I can set it up as a directory for authentication. My guess is, and this is coming from working with an installation of Active Directory, you need to authenticate before changing the password, and the user in question must have authority to change the password in LDAP. Try logging in as root, and changing someone else's password once. If that works, work backwards from there. As yourself why root can change bob's password, but bob can't. Always start troubleshooting on the LDAP server to see if it is your connection or your server. When you get it working on the LDAP server, try it from a remote PC. Check your build options on OpenLDAP to be sure that it was built with support for ldapmodify and so forth. You may not have all of the required libraries, or be at the right version for them to work. I took a break from configuring my OpenLDAP box with Slackware, so I can't go into it now (and my break has been about a year so far!). I will have to get back into it when school goes on the next hiatus (the 20th or so) and let you know.

Duh,

I just reread your post. The first time it asks you for a password, that means your CURRENT password. In other words, in order to change your password, you need to know the old one. For someone to reset a forgotten password, they need to be the LDAP owner (usually root).