Re: password change does not work: LDAP, sssd, nss or pam error?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/06/2010 04:28 PM, Volker Potworowski wrote:
> Hallo zusammen,
> 
> am Mittwoch, 6. Oktober 2010 schrieb Stephen Gallagher:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 10/06/2010 08:28 AM, Volker Potworowski wrote:
>>> Oct  6 12:18:43 thal passwd: pam_sss(passwd:chauthtok): Password change
>>> failed for user vp: 28 (Module is unknown)
>>
>> This error seems to imply that your LDAP server doesn't have the
>> password-change extended operation enabled.
>>
>> You'll have to check the documentation for OpenLDAP for information on
>> how to set up the LDAPv3 Password Modify (RFC 3062) extended operation.
> 
> I have the directive
> 
> pam_password exop
> 
> in /etc/ldap.conf. Hope this is enough (but doesn't work anyway).
> 
> When I debug slapd (with -d 128) while trying to change the password I see:
> 
> slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1
> => access_allowed: result not in cache (userPassword)
> => access_allowed: auth access to "uid=vp,ou=People,dc=teraphim,dc=de" 
> "userPassword" requested
> => slap_access_allowed: backend default auth access granted to "(anonymous)"
> => access_allowed: auth access granted by read(=rscxd)
> slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1
> => bdb_entry_get: found entry: "uid=vp,ou=people,dc=teraphim,dc=de"
> => access_allowed: result not in cache (userPassword)
> => access_allowed: auth access to "uid=vp,ou=People,dc=teraphim,dc=de" 
> "userPassword" requested
> => slap_access_allowed: backend default auth access granted to 
> "uid=vp,ou=People,dc=teraphim,dc=de"
> => access_allowed: auth access granted by read(=rscxd)
> => access_allowed: backend default write access denied to 
> "uid=vp,ou=People,dc=teraphim,dc=de"
> 
> 
> That seems to me that the user does not have the right to right access the 
> password. My slapd.conf includes
> 
> access to attrs=userPassword
>     by self write
>     by anonymous auth
>     by dn.base="cn=Manager,dc=teraphim,dc=de" write
>     by * none
> 
> Any ideas?
> 
> Cheers
> Volker


This is a server-side configuration issue. Probably you want to be
asking on the openldap-software mailing list. However, a quick Google
search revealed this thread which is likely relevant to you:
http://www.openldap.org/lists/openldap-software/200606/msg00021.html

Good luck!


- -- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkytAQcACgkQeiVVYja6o6MSIwCdGrq2/RuJYuUizZEyFQ24zm9f
WNwAn2RThNiV/SvUqx5St33cFY/Xwi38
=WbhM
-----END PGP SIGNATURE-----
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux