2

I have a basic LDAP setup without SSL configured. Users are able to login but not able to change their password using passwd command. I have gone though many blogs but no luck. I have disabled selinux and iptables.

Any help on this will be much appreciated.

Details below,

  • OS: CentOS6.5
  • LDAP version: openldap-servers-2.4.23-34.el6_5.1.x86_64
  • Client version: openldap-clients-2.4.23-34.el6_5.1.x86_64

Output from the terminal when trying to change the password:

[servername ~]$ passwd
Changing password for user dkrishna.
Enter login(LDAP) password:
New password:
Retype new password:
LDAP password information update failed: Insufficient access
passwd: Authentication token manipulation error

Below are the logs,

==> /var/log/secure <==

Oct  8 09:31:33  passwd: pam_unix(passwd:chauthtok): user "dkrishna" does not exist in /etc/passwd
Oct  8 09:31:42  passwd: pam_unix(passwd:chauthtok): user "dkrishna" does not exist in /etc/passwd

==> /var/log/messages <==

Oct  8 09:31:42  passwd: pam_ldap: ldap_modify_s Insufficient access

ACL's configured as below,

database config
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
        by * none

database monitor
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
        by dn.exact="cn=admin,dc=tibbr,dc=com" read
        by * none

access to attrs=userPassword
        by self write
        by anonymous auth
        by users none

access to * by * read
Maxime Rouiller
  • 13,614
  • 9
  • 57
  • 107
Krishnamurthy Dasari
  • 23
  • 1
  • 1
  • 4

2 Answers2

3

I found the solution:

Add the following two lines to the end of the file: oclDatabase\=\{2\}bdb.ldif

olcAccess: {0}to attrs=userPassword by self write by dn.base="cn=Manager,dc=domain,dc=com" write by anonymous auth by * none

olcAccess: {1}to * by dn.base="cn=Manager,dc=domain,dc=com" write by self write by * read

bye

ph0t0nix
  • 535
  • 14
  • 25
Thomas
  • 46
  • 2
  • Thanks a lot Thomas for your response. Worked like a charm!! Have tried placing same rule on slapd.conf file and restarted service, it didnt work. But same rule placing directly in oclDatabase\={2}bdb.ldif file worked. – Krishnamurthy Dasari Oct 29 '14 at 17:41
0

Looks like slapd.conf is deprecated when OCL database is configured.

Observe the following snippet from OCL configuration guide: "From the time you have run the conversion the slapd.conf file is redundant. When loading slapd looks for the configuration directory (default slapd.d) and reads its configuration files from there and initializes the OLC (cn=config) DIT. If the slapd.d directory is not found then slapd looks for slapd.conf."

Kam Nasim
  • 1