You are not logged in.

#1 2014-01-09 11:10:01

iOfWhy
Member
Registered: 2012-05-16
Posts: 26

OpenLDAP Users cannot change password

After a lot of fighting i have finally gotten my LDAP server to start and I can log in from clients. However, users cannot change their password. I get

password change failed: Insufficient access

I have added the following in my slapd.conf:

access to attrs=userPassword
        by self write
        by anonymous auth
        by * none

access to *
        by self write
        by * read

and regenerated config with slaptest without errors, changed owner of slap.d folder but to no avail. Also set pam.d settings like they should... removing the ldap line from pam.d/passwd skips the LDAP password change completely. so the error must be in the server...

Any ideas?

Last edited by iOfWhy (2014-01-09 14:38:40)

Offline

#2 2014-01-09 21:06:16

loafer
Member
From: the pub
Registered: 2009-04-14
Posts: 1,772

Re: OpenLDAP Users cannot change password

How are they attempting to change their password?  Here is what the journal shows when I change mine with passwd:

Jan 09 20:59:17 Aliens nslcd[440]: [d7a87b] <pwmod="rusty"> password changed for uid=rusty,ou=People,dc=rusty,dc=GB,dc=com
Jan 09 20:59:17 Aliens passwd[23989]: pam_ldap(passwd:chauthtok): password changed for rusty
rusty ~  $  passwd
(current) LDAP Password: 
New password: 
Retype new password: 
passwd: password updated successfully

All men have stood for freedom...
For freedom is the man that will turn the world upside down.
Gerrard Winstanley.

Offline

#3 2014-01-10 12:47:46

iOfWhy
Member
Registered: 2012-05-16
Posts: 26

Re: OpenLDAP Users cannot change password

they are using passwd...

How do you get information from the journal? I am ashamed to say that i still don't know where the syslog is located under systemd... Where does openldap log to in archlinux?

/etc/openldap/slapd.conf (on server):

include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/nis.schema
pidfile     /run/openldap/slapd.pid
argsfile    /run/openldap/slapd.args
database    bdb
suffix      "dc=testing,dc=com"
rootdn      "cn=Manager,dc=testing,dc=com"
rootpw      {SSHA}ntsD5qrvHJtMflarQPhJzapiEEnqH2/L
directory   /var/lib/openldap/openldap-data
index   objectClass eq
index   uid             pres,eq
index   mail            pres,sub,eq
index   cn              pres,sub,eq
index   sn              pres,sub,eq
index   dc              eq

/etc/openldap/ldap.conf (on client):

BASE   dc=testing,dc=com
URI    ldap://192.168.1.50

/etc/nslcd.conf (on client):

uid nslcd
gid nslcd
uri ldap://192.168.1.50/
base dc=testing,dc=com

/etc/pam.d/system-auth (on client):

auth      sufficient  pam_ldap.so
auth      required  pam_unix.so     try_first_pass nullok
auth      optional  pam_permit.so
auth      required  pam_env.so
account   sufficient  pam_ldap.so
account   required  pam_unix.so
account   optional  pam_permit.so
account   required  pam_time.so
password  sufficient  pam_ldap.so
password  required  pam_unix.so     try_first_pass nullok sha512 shadow
password  optional  pam_permit.so
session   required  pam_limits.so
session   required  pam_unix.so
session   optional  pam_ldap.so
session   optional  pam_permit.so

/etc/pam.d/passwd (on client):

password    sufficient  pam_ldap.so
password    required    pam_unix.so sha512 shadow nullok

Last edited by iOfWhy (2014-01-10 13:06:38)

Offline

#4 2014-01-10 14:53:43

loafer
Member
From: the pub
Registered: 2009-04-14
Posts: 1,772

Re: OpenLDAP Users cannot change password

It should be logging to the journal.  So, just as an example to see entire journal entries since the last reboot:

journalctl -b

If you want to watch what's happening in realtime:

journalctl --follow

You could also see all messages related to openldap.

https://wiki.archlinux.org/index.php/systemd#Journal


All men have stood for freedom...
For freedom is the man that will turn the world upside down.
Gerrard Winstanley.

Offline

#5 2014-10-17 20:33:53

MikeDacre
Member
From: San Francisco Bay Area
Registered: 2013-01-18
Posts: 51
Website

Re: OpenLDAP Users cannot change password

iOfWhy wrote:

access to attrs=userPassword
        by self write
        by anonymous auth
        by * none

access to *
        by self write
        by * read

I had this same problem. You need to update /etc/openldap/slapd.conf to contain the following:

access to attrs=userPassword
        by self write
        by anonymous auth
        by dn.base="cn=Manager,dc=example,dc=org" write                                                                                                                                         
        by * none

access to *
        by self write
        by dn.base="cn=Manager,dc=example,dc=org" write
        by * read

Last edited by MikeDacre (2014-10-18 15:54:28)

Offline

#6 2014-10-18 15:46:52

loafer
Member
From: the pub
Registered: 2009-04-14
Posts: 1,772

Re: OpenLDAP Users cannot change password

Can you please explain why this is the case and what the addition achieves?


All men have stood for freedom...
For freedom is the man that will turn the world upside down.
Gerrard Winstanley.

Offline

#7 2014-10-18 16:04:37

MikeDacre
Member
From: San Francisco Bay Area
Registered: 2013-01-18
Posts: 51
Website

Re: OpenLDAP Users cannot change password

I am afraid I honestly don't know, I found the suggestion on a number of forums (including this one: http://ubuntuforums.org/showthread.php?t=1556923), and it worked for me. It may because the root dn and password are defined in slapd.conf, or perhaps it is because I am using non-default values.

You can read the full LDAP access control info document here:
http://www.openldap.org/doc/admin24/access-control.html

It covers some of the specifics, but it does seem like the initial config in this post should work, but it doesn't for me. I don't see any security issues with allowing root the change user passwords also, so I don't see any issues with the new config I suggested, and it does just work.

If anyone else is able to explain exactly why it is necessary to explicitly give root access in order allow users to change their own passwords, I would love to hear it.

Sorry I can't be more helpful.

Offline

#8 2014-10-19 19:23:36

loafer
Member
From: the pub
Registered: 2009-04-14
Posts: 1,772

Re: OpenLDAP Users cannot change password

That was the point I was making.  What you've done is allow "root" the access you've defined.  It has nothing to do with users changing their passwords and as such has nothing to do with the original issue.

I have not such problem without that entry.

The problem is elsewhere.  Having said all that I doubt very much if the OP is still watching.


All men have stood for freedom...
For freedom is the man that will turn the world upside down.
Gerrard Winstanley.

Offline

#9 2014-10-20 18:52:11

MikeDacre
Member
From: San Francisco Bay Area
Registered: 2013-01-18
Posts: 51
Website

Re: OpenLDAP Users cannot change password

That is true, but nonetheless, I can still recreate the issue by simply removing that line. The default configuration doesn't work for me. I am not sure why, it is probably something screwy elsewhere in my config.

Offline

Board footer

Powered by FluxBB