# LDAP Authentication & passwd

## pgb

Hello,

I have my server configured for ldap authentication, however, as a normal user I cannot change the password.

This is the output of passwd:

```

user@deathstar user $ passwd

Enter login(LDAP) password: 

New UNIX password: 

Retype new UNIX password: 

New password: 

Re-enter new password: 

LDAP password information update failed: Unknown error

use bind to verify old password

passwd: Permission denied

```

and this is my /etc/pam.d/system-auth

```

auth       required     /lib/security/pam_env.so

# Added shadow

auth       sufficient   /lib/security/pam_unix.so likeauth nullok shadow

# Added for ldap

auth       sufficient   /lib/security/pam_ldap.so use_first_pass

auth       required     /lib/security/pam_deny.so

account    sufficient   /lib/security/pam_unix.so

account    sufficient   /lib/security/pam_ldap.so

account    required     /lib/security/pam_deny.so

password   required     /lib/security/pam_cracklib.so retry=3

password   sufficient   /lib/security/pam_unix.so nullok md5 shadow use_authtok

password   sufficient   /lib/security/pam_ldap.so  use_authok

password   required     /lib/security/pam_deny.so

session    required     /lib/security/pam_limits.so

session    required     /lib/security/pam_unix.so

session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0

session    optional     /lib/security/pam_ldap.so

```

any hint on how to solve this? I would like my users to be able to change their passwords freely.

----------

## slam_head

Is ldap listed in /etc/nsswitch.conf?  If so does it come before files?

----------

## pgb

Yes, it's listed on nsswitch.conf and its before the files.

nsswitch.conf:

```

passwd:      ldap compat

shadow:      ldap compat

group:       ldap compat

hosts:       files dns

networks:    files dns

services:    db files

protocols:   db files

rpc:         db files

ethers:      db files

netmasks:    files

netgroup:    files

bootparams:  files

automount:   files

aliases:     files

```

I had "compat ldap" before, but I changed in order to be able to use sudo and su (otherwise the users added to the group wheel in ldap wouldn't be able to sudo).

----------

## pgb

I'm bumping this topic, as I'm sure it's a common issue.

----------

## UberLord

I'm pretty sure it's something wrong with /etc/ldap.conf - why don't you post yours?

Also I think you need to be running unstable versions of pam_ldap and nss_ldap

----------

## pgb

Here's my /etc/ldap.conf:

```

base dc=domain,dc=com

rootbinddn uid=root,ou=People,dc=domain,dc=com

host auth.domain.com.ar

pam_password exop

ldap_version 3

pam_filter objectclass=posixAccount

pam_login_attribute uid

pam_member_attribute memberuid

nss_base_passwd ou=People,dc=domain,dc=com

nss_base_shadow ou=People,dc=domain,dc=com

nss_base_group ou=Group,dc=domain,dc=com

nss_base_hosts ou=Hosts,dc=domain,dc=com

scope one

```

The versions I have installed are:

net-libs/pam_ldap-171

net-libs/nss_ldap-226

Thanks in advance.

----------

## UberLord

I've improved your config a bit

```
base dc=domain,dc=com

rootbinddn uid=root,ou=People,dc=domain,dc=com

uri ldap://auth.domain.com.ar/

ldap_version 3

# PAM config

# exop causes problems sometimes

#pam_password exop

pam_password crypt 

pam_filter objectclass=posixAccount

pam_login_attribute uid

pam_member_attribute gidNumber

# NSS config

scope one 

nss_base_passwd ou=People,dc=domain,dc=com

nss_base_shadow ou=People,dc=domain,dc=com

nss_base_group ou=Group,dc=domain,dc=com

nss_base_hosts ou=Hosts,dc=domain,dc=com

```

I really wouldn't include root in LDAP - use Manager instead

I also don't have any hosts in LDAP - DNS does a much better job.

fyi I use pam_ldap-176

----------

## pgb

Thanks a lot! This configuration works much better.

I still get the double prompt, but the password is succesfully changed.

Here's the exchange with passwd:

```

Enter login(LDAP) password: 

New UNIX password: 

Retype new UNIX password: 

New password: 

Re-enter new password: 

LDAP password information changed for user

passwd: password updated successfully

```

Can I make passwd ask for the password only once?

The user I'm changing the password is only on ldap, and not on /etc/passwd, so I don't see why I have to type it twice.

I'll try using Manager instead of root, and see if it all works.

Thanks again!

----------

## Merlin8000

 *pgb wrote:*   

> Thanks a lot! This configuration works much better.
> 
> I still get the double prompt, but the password is succesfully changed.
> 
> Here's the exchange with passwd:
> ...

 

I'm not sure what the issue is for that specifically, but I had the exact same problem as your previous one and changing the pam_password line fixed it for me too.  However, I'm not getting a duplicate new password prompt like you are, so I guess it's safe to say the problem isn't your /etc/ldap.conf

you might want to have a look at /etc/nsswitch.conf or /etc/pam.d/passwd

thanks guys! this one had been annoying me for some time now.

----------

## pgb

 *Merlin8000 wrote:*   

> you might want to have a look at /etc/nsswitch.conf or /etc/pam.d/passwd
> 
> 

 

Can you post yours so I can compare them?

Mine are:

/etc/nsswitch.conf

```

passwd:      ldap compat

shadow:      ldap compat

group:       ldap compat

hosts:       files dns

networks:    files dns

services:    db files

protocols:   db files

rpc:         db files

ethers:      db files

netmasks:    files

netgroup:    files

bootparams:  files

automount:   files

aliases:     files

```

/etc/pam.d/passwd

```

auth       required     /lib/security/pam_stack.so service=system-auth

account    required     /lib/security/pam_stack.so service=system-auth

password   required     /lib/security/pam_stack.so service=system-auth

```

/etc/pam.d/system-auth

```

auth       required     /lib/security/pam_env.so

auth       sufficient   /lib/security/pam_unix.so likeauth nullok shadow

auth       sufficient   /lib/security/pam_ldap.so use_first_pass

auth       required     /lib/security/pam_deny.so

account    sufficient   /lib/security/pam_unix.so

account    sufficient   /lib/security/pam_ldap.so

account    required     /lib/security/pam_deny.so

password   required     /lib/security/pam_cracklib.so retry=3

password   sufficient   /lib/security/pam_unix.so nullok md5 shadow use_authtok

password   sufficient   /lib/security/pam_ldap.so  use_authok

password   required     /lib/security/pam_deny.so

session    required     /lib/security/pam_limits.so

session    required     /lib/security/pam_unix.so

session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0

session    optional     /lib/security/pam_ldap.so

```

Thanks

----------

## Merlin8000

/etc/nsswitch.conf

```

passwd:         files ldap

group:          files ldap

shadow:         files ldap

hosts:       files dns

networks:    files dns

services:    db files

protocols:   db files

rpc:         db files

ethers:      db files

netmasks:    files

netgroup:    files

bootparams:  files

automount:   files

aliases:     files

```

/etc/pam.d/passwd

```

auth       required     /lib/security/pam_stack.so service=system-auth

account    required     /lib/security/pam_stack.so service=system-auth

password   sufficient   /lib/security/pam_ldap.so

password   required     /lib/security/pam_stack.so service=system-auth

```

/etc/pam.d/system-auth

```

auth    required    /lib/security/pam_env.so

auth    sufficient  /lib/security/pam_unix.so likeauth nullok shadow

auth    sufficient  /lib/security/pam_ldap.so use_first_pass

auth    required    /lib/security/pam_deny.so

account sufficient  /lib/security/pam_unix.so

account sufficient  /lib/security/pam_ldap.so

account required    /lib/security/pam_deny.so

password    required /lib/security/pam_cracklib.so retry=3

password    sufficient /lib/security/pam_unix.so nullok use_authtok shadow md5

password    required /lib/security/pam_ldap.so use_authtok

password    required /lib/security/pam_deny.so

session required    /lib/security/pam_limits.so

session required    /lib/security/pam_unix.so

session required     /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0

session optional    /lib/security/pam_ldap.so

```

I got most of these settings from the gentoo ldap howto, I followed it pretty strictly, except i'm not using ssl (just yet) and I had to change the ACLs provided in /etc/openldap/slapd.conf because the howto's ACL list seemed to disallow logins alltogether.

----------

## UberLord

 *Merlin8000 wrote:*   

> 
> 
> /etc/pam.d/passwd
> 
> ```
> ...

 

You don't need that reference to pam_ldap in there as system-auth takes care of it afaik

----------

## Merlin8000

 *UberLord wrote:*   

> 
> 
> You don't need that reference to pam_ldap in there as system-auth takes care of it afaik
> 
> 

 

without it i get the following passwd chat

```

Enter login(LDAP) password:

passwd: Authentication token manipulation error

```

----------

## pgb

Does anyone see anything strange with my nsswitch.conf?

The duplicate password prompt is not a big issue, but is nevertheless annoying.

Thanks.

----------

## UberLord

 *pgb wrote:*   

> Does anyone see anything strange with my nsswitch.conf?
> 
> ```
> 
> passwd:      ldap compat
> ...

 

I have the word "files" instead of "compat"

```

passwd:      ldap files

shadow:      ldap files

group:       ldap files

```

----------

## pgb

 *UberLord wrote:*   

>  *pgb wrote:*   Does anyone see anything strange with my nsswitch.conf?
> 
> ```
> 
> passwd:      ldap compat
> ...

 

I get the same duplicate prompt...

Do I need to restart anything after changing nsswitch.conf?

----------

## Merlin8000

what about your logs? does anything pop up when you try to change passwords the first time around?  sounds to me like the first passwd change attempt is failing so it's reprompting with a different system.

also does the user in  question exist on both your ldap server and in /etc/passwd?

not that i know this would cause that, but it's a shot in the dark

----------

## pgb

Just found it...

I had a typo on the /etc/pam.d/system-auth file...

I had:

```

password   sufficient   /lib/security/pam_ldap.so  use_authok

```

instead of:

```

password   sufficient   /lib/security/pam_ldap.so  use_authtok

```

Now it works as expected... Thanks for your help.

----------

## pejcao

does "passwd" changes yer ldap password AND /etc/shadow simultaneusly? (if the user exists in both)

----------

