LDAP in Slackware - do I need PAM to allow users to change passwords?
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
LDAP in Slackware - do I need PAM to allow users to change passwords?
I have an LDAP server running (mostly) in Slackware 13. I can authenticate against it, but users cannot change their passwords. I admit I'm not sure I'm doing it right:
>ldappasswd
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
>
I am unclear on how SASL fits into everything. I have nss_ldap installed, of course, but it looks like it only works with {CRYPT} passwords (and is that even part of the problem). I have no ACL's defined.
I thought I read in some ancient post that I might need PAM to do anything besides query -- that is, I can auth with nss_ldap, but need PAM to change passwords. Can anyone confirm or deny? Is there a "proper" way to use LDAP with Slackware.
P.S. (not stricly Slack related) The ldappasswd man page (on linux.die.net) says this:
ldappasswd is neither designed nor intended to be a replacement for passwd(1) and should not be installed as such.
What on earth does this mean, and how does one properly change passwords when using ldap for authentication.
PAM: Pluggable Authentication Module. You need PAM modules in order to allow the local machine to manipulate external auth mechanisms, including, but not limited to: LDAP, Kerberos, NIS, Active Directory, and so forth. NSS_LDAP is the just a shortcut hack around getting LDAP auth working, but PAM is the real way to go.
My experience in this is using OpenLDAP on an ubuntu server with ubuntu clients.
ldappasswd is neither designed nor intended to be a replacement for passwd(1) and should not be installed as such.
means don't link ldappasswd to passwd on the LDAP clients! It's an insecure way of changing credentials in LDAP.
Simply put, if you have the client setup correctly bound to the LDAP server, changing passwords should be transparent to the user, they should not even know they are working from a server!
ldappasswd is neither designed nor intended to be a replacement for passwd(1) and should not be installed as such.
means don't link ldappasswd to passwd on the LDAP clients! It's an insecure way of changing credentials in LDAP.
Simply put, if you have the client setup correctly bound to the LDAP server, changing passwords should be transparent to the user, they should not even know they are working from a server!
I have not used PAM at all. I also didn't use LDAP for authentication. I will have to finish building OpenLDAP and see if I can set it up as a directory for authentication. My guess is, and this is coming from working with an installation of Active Directory, you need to authenticate before changing the password, and the user in question must have authority to change the password in LDAP. Try logging in as root, and changing someone else's password once. If that works, work backwards from there. As yourself why root can change bob's password, but bob can't. Always start troubleshooting on the LDAP server to see if it is your connection or your server. When you get it working on the LDAP server, try it from a remote PC. Check your build options on OpenLDAP to be sure that it was built with support for ldapmodify and so forth. You may not have all of the required libraries, or be at the right version for them to work. I took a break from configuring my OpenLDAP box with Slackware, so I can't go into it now (and my break has been about a year so far!). I will have to get back into it when school goes on the next hiatus (the 20th or so) and let you know.
I just reread your post. The first time it asks you for a password, that means your CURRENT password. In other words, in order to change your password, you need to know the old one. For someone to reset a forgotten password, they need to be the LDAP owner (usually root).
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.