[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

pam_ldap OpenLDAP Insufficient acces, multiple password prompts, password encryption



Hi all.  I've given it my all, but I can't get my ldap authentication
working properly on my RH 7.2 box.  I'm almost there.  If I leave my ACL
wide open 

access to *
by * write

things work pretty well for the most part.  I can log in, and change my
passwords and everything stays in sync between ldap and Unix - although I do
have to type in the password for both pam_unix and pam_ldap (I would guess
that is what is occuring).  I think this should be avoidable, but playing
with the try/use_first_pass doesn't seem to work. It gets even worse, three
prompts (two from unix on from pam) if I put the pam_ldap module after
pam_unix_passwd.  I have a feeling this is to do with the password
encryption.  I have md5 turned on in the /etc/shadow passwords, and the
password would not appear to be stored in the same way in OpenLDAP.

** Just a note to some that might encounter the same problem as me.  By
making the pam_ldap and pam_unix auth required, if the passwords get out of
sync, as they very well can, you will end up with Access denied (through SSH
anyway) or something similar**

Anyhow the real problem is the password changing does not work at all if I
tighten up the ACL, as I must, but certainly still to where it should work -
like below for example.

 access to *
        by self write
        by dn="uid=root,dc=domain,dc=com" write
        by * read
        by anonymous auth

With the above access I get the following Insufficient access message when
changing passwords (you can also see the number of prompts it is giving me)

[greg@gateway greg]$ passwd
Changing password for greg
(current) UNIX password:
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
Enter new UNIX password:
Retype new UNIX password:
New password:
Re-enter new password:
LDAP password information update failed: Insufficient access
passwd: Permission denied
[greg@gateway greg]$

What does the "self" in the ACL refer to?  Who is bound in this scenario?
The user id + the base DN in slapd.conf?  Also, If I bind with my rootdn at
the command prompt things work fine for adding entries using ldapadd, but if
I try to change the password for the same user I get the following.  Very
very frustrating.

[root@gateway openldap]# ldappasswd -WS -D 'cn=root,dc=domain,dc=com' -x
greg
New password:
Re-enter new password:
Enter bind password:
Result: Invalid DN syntax (34)
Additional info: Invalid DN

or

[root@gateway openldap]# ldappasswd -WS -D
'cn=root,ou=People,dc=domain,dc=com' -x greg
New password:
Re-enter new password:
Enter bind password:
ldap_bind: Invalid credentials

but as stated I can bind and add with the same root dn no problems (see
below)

[root@gateway openldap]#  ldapadd -x -D "cn=root,dc=domain,dc=com" -W -f
testuser.ldif
Enter LDAP Password:
adding new entry "uid=testuser,ou=People,dc=domain,dc=com"

[root@gateway openldap]#







[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []