-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/06/2010 04:28 PM, Volker Potworowski wrote: > Hallo zusammen, > > am Mittwoch, 6. Oktober 2010 schrieb Stephen Gallagher: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 10/06/2010 08:28 AM, Volker Potworowski wrote: >>> Oct 6 12:18:43 thal passwd: pam_sss(passwd:chauthtok): Password change >>> failed for user vp: 28 (Module is unknown) >> >> This error seems to imply that your LDAP server doesn't have the >> password-change extended operation enabled. >> >> You'll have to check the documentation for OpenLDAP for information on >> how to set up the LDAPv3 Password Modify (RFC 3062) extended operation. > > I have the directive > > pam_password exop > > in /etc/ldap.conf. Hope this is enough (but doesn't work anyway). > > When I debug slapd (with -d 128) while trying to change the password I see: > > slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1 > => access_allowed: result not in cache (userPassword) > => access_allowed: auth access to "uid=vp,ou=People,dc=teraphim,dc=de" > "userPassword" requested > => slap_access_allowed: backend default auth access granted to "(anonymous)" > => access_allowed: auth access granted by read(=rscxd) > slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1 > => bdb_entry_get: found entry: "uid=vp,ou=people,dc=teraphim,dc=de" > => access_allowed: result not in cache (userPassword) > => access_allowed: auth access to "uid=vp,ou=People,dc=teraphim,dc=de" > "userPassword" requested > => slap_access_allowed: backend default auth access granted to > "uid=vp,ou=People,dc=teraphim,dc=de" > => access_allowed: auth access granted by read(=rscxd) > => access_allowed: backend default write access denied to > "uid=vp,ou=People,dc=teraphim,dc=de" > > > That seems to me that the user does not have the right to right access the > password. My slapd.conf includes > > access to attrs=userPassword > by self write > by anonymous auth > by dn.base="cn=Manager,dc=teraphim,dc=de" write > by * none > > Any ideas? > > Cheers > Volker This is a server-side configuration issue. Probably you want to be asking on the openldap-software mailing list. However, a quick Google search revealed this thread which is likely relevant to you: http://www.openldap.org/lists/openldap-software/200606/msg00021.html Good luck! - -- Stephen Gallagher RHCE 804006346421761 Delivering value year after year. Red Hat ranks #1 in value among software vendors. http://www.redhat.com/promo/vendor/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAkytAQcACgkQeiVVYja6o6MSIwCdGrq2/RuJYuUizZEyFQ24zm9f WNwAn2RThNiV/SvUqx5St33cFY/Xwi38 =WbhM -----END PGP SIGNATURE----- -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
