Yes, I have similar problems. I can use LDAP to authenticate users but they can't change
password.
I used the "system-config-authentication" tool (actually, its equivalent during the installation) to configure LDAP user info and authentication, which works as it should.
If I uncomment the rootbinddn line, authentication fails.
You normally don't need it, so I'd suggest that you use the included config tools to set up a working client configuration, and then decide whether or not you have a need for that option.
The /etc/openldap/slapd.conf looks like this:
include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema allow bind_v2 pidfile /var/run/slapd.pid argsfile /var/run/slapd.args access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to * by self write by users read by anonymous auth
Whoa... Hold up there. If you let users write to their uid and gid attributes, "Bad Things(tm)" can happen. Be specific about what you want users to be able to change, do not use wildcards for write access.
My /etc/ldap.secret is readable and writable by the user ldap, and only by that user.
If you want to pursue gettting "rootbinddn" working after using the config tools, that file should be owned and readable only by root.
This worked perfectly with the same settings on FC3. Any idea what have changed?
I'm not sure, but selinux might be preventing root from reading files that it doesn't own.