On 10/06/2010 04:06 PM, Stephen Gallagher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 10/06/2010 04:28 PM, Volker Potworowski wrote: >> Hallo zusammen, >> >> am Mittwoch, 6. Oktober 2010 schrieb Stephen Gallagher: >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> On 10/06/2010 08:28 AM, Volker Potworowski wrote: >>>> Oct 6 12:18:43 thal passwd: pam_sss(passwd:chauthtok): Password change >>>> failed for user vp: 28 (Module is unknown) >>> >>> This error seems to imply that your LDAP server doesn't have the >>> password-change extended operation enabled. >>> >>> You'll have to check the documentation for OpenLDAP for information on >>> how to set up the LDAPv3 Password Modify (RFC 3062) extended operation. >> >> I have the directive >> >> pam_password exop >> >> in /etc/ldap.conf. Hope this is enough (but doesn't work anyway). >> >> When I debug slapd (with -d 128) while trying to change the password I see: >> >> slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1 >> => access_allowed: result not in cache (userPassword) >> => access_allowed: auth access to "uid=vp,ou=People,dc=teraphim,dc=de" >> "userPassword" requested >> => slap_access_allowed: backend default auth access granted to "(anonymous)" >> => access_allowed: auth access granted by read(=rscxd) >> slap_global_control: unrecognized control: 1.3.6.1.4.1.42.2.27.8.5.1 >> => bdb_entry_get: found entry: "uid=vp,ou=people,dc=teraphim,dc=de" >> => access_allowed: result not in cache (userPassword) >> => access_allowed: auth access to "uid=vp,ou=People,dc=teraphim,dc=de" >> "userPassword" requested >> => slap_access_allowed: backend default auth access granted to >> "uid=vp,ou=People,dc=teraphim,dc=de" >> => access_allowed: auth access granted by read(=rscxd) >> => access_allowed: backend default write access denied to >> "uid=vp,ou=People,dc=teraphim,dc=de" >> >> >> That seems to me that the user does not have the right to right access the >> password. My slapd.conf includes >> >> access to attrs=userPassword >> by self write >> by anonymous auth >> by dn.base="cn=Manager,dc=teraphim,dc=de" write >> by * none >> >> Any ideas? >> >> Cheers >> Volker > > > This is a server-side configuration issue. Probably you want to be > asking on the openldap-software mailing list. However, a quick Google > search revealed this thread which is likely relevant to you: > http://www.openldap.org/lists/openldap-software/200606/msg00021.html Yes, and I think what you need is something like: access to attrs=userPassword by dn="cn=manager,dc=teraphim,dc=de" write by anonymous auth by self write by * none IIRC, the ACLs are processsed from top to bottom and you need to auth before you are granted write privilege. In other words, swap the order of your "by self" and "by anonymous" lines. I could be wrong. ---------------------------------------------------------------------- - Rick Stevens, Systems Engineer, C2 Hosting ricks@xxxxxxxx - - AIM/Skype: therps2 ICQ: 22643734 Yahoo: origrps2 - - - - Huked on foniks reely wurked for me! - ---------------------------------------------------------------------- -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
