Re: password change does not work: LDAP, sssd, nss or pam error?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/06/2010 04:06 PM, Stephen Gallagher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 10/06/2010 04:28 PM, Volker Potworowski wrote:
>> Hallo zusammen,
>>
>> am Mittwoch, 6. Oktober 2010 schrieb Stephen Gallagher:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 10/06/2010 08:28 AM, Volker Potworowski wrote:
>>>> Oct  6 12:18:43 thal passwd: pam_sss(passwd:chauthtok): Password change
>>>> failed for user vp: 28 (Module is unknown)
>>>
>>> This error seems to imply that your LDAP server doesn't have the
>>> password-change extended operation enabled.
>>>
>>> You'll have to check the documentation for OpenLDAP for information on
>>> how to set up the LDAPv3 Password Modify (RFC 3062) extended operation.
>>
>> I have the directive
>>
>> pam_password exop
>>
>> in /etc/ldap.conf. Hope this is enough (but doesn't work anyway).
>>
>> When I debug slapd (with -d 128) while trying to change the password I see:
>>
>> slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1
>> =>  access_allowed: result not in cache (userPassword)
>> =>  access_allowed: auth access to "uid=vp,ou=People,dc=teraphim,dc=de"
>> "userPassword" requested
>> =>  slap_access_allowed: backend default auth access granted to "(anonymous)"
>> =>  access_allowed: auth access granted by read(=rscxd)
>> slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1
>> =>  bdb_entry_get: found entry: "uid=vp,ou=people,dc=teraphim,dc=de"
>> =>  access_allowed: result not in cache (userPassword)
>> =>  access_allowed: auth access to "uid=vp,ou=People,dc=teraphim,dc=de"
>> "userPassword" requested
>> =>  slap_access_allowed: backend default auth access granted to
>> "uid=vp,ou=People,dc=teraphim,dc=de"
>> =>  access_allowed: auth access granted by read(=rscxd)
>> =>  access_allowed: backend default write access denied to
>> "uid=vp,ou=People,dc=teraphim,dc=de"
>>
>>
>> That seems to me that the user does not have the right to right access the
>> password. My slapd.conf includes
>>
>> access to attrs=userPassword
>>      by self write
>>      by anonymous auth
>>      by dn.base="cn=Manager,dc=teraphim,dc=de" write
>>      by * none
>>
>> Any ideas?
>>
>> Cheers
>> Volker
>
>
> This is a server-side configuration issue. Probably you want to be
> asking on the openldap-software mailing list. However, a quick Google
> search revealed this thread which is likely relevant to you:
> http://www.openldap.org/lists/openldap-software/200606/msg00021.html

Yes, and I think what you need is something like:

	access to attrs=userPassword
		by dn="cn=manager,dc=teraphim,dc=de" write
		by anonymous auth
		by self write
		by * none

IIRC, the ACLs are processsed from top to bottom and you need to auth
before you are granted write privilege.  In other words, swap the order
of your "by self" and "by anonymous" lines.

I could be wrong.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, C2 Hosting          ricks@xxxxxxxx -
- AIM/Skype: therps2        ICQ: 22643734            Yahoo: origrps2 -
-                                                                    -
-                Huked on foniks reely wurked for me!                -
----------------------------------------------------------------------
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux