# passwd & OpenLDAP & pam_ldap.so

## M1Sports20

I am using ldap just find.  Accept the passwd command wont work

Console Output

```

passwd

Enter login(LDAP) password: 

New UNIX password: 

Retype new UNIX password: 

LDAP password information update failed: Can't contact LDAP server

```

/etc/pam.d/passwd

```

auth       include      system-auth

account    include      system-auth

password   include      system-auth

```

/etc/pam.d/system-auth

```

# this is to lockout password users with many password attempt, except root

auth       required     pam_tally.so    onerr=fail no_magic_root

# set env vars

auth       required     pam_env.so

# can add nodelay the following option to stop that 1 sec delay

auth       sufficient   pam_unix.so likeauth nullok

auth       sufficient   pam_ldap.so use_first_pass

auth       required     pam_deny.so

# this is to lockout password users with 5 password attempt, except root

account    required     pam_tally.so    deny=5  reset   no_magic_root

account    required     pam_unix.so

account    sufficient   pam_ldap.so

password   required     pam_cracklib.so difok=3 retry=3 minlen=8 dcredit=2 ocredit=2  

#password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3

password   sufficient   pam_unix.so nullok md5 shadow use_authtok

password   sufficient   pam_ldap.so use_authtok

password   required     pam_deny.so

# create home dirs if they don't exist

session    required     /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0077

session    required     pam_limits.so

session    required     pam_unix.so

session    optional     pam_ldap.so

```

/etc/ldap.conf

```

ssl start_tls

ssl on

suffix "dc=mspradling,dc=com"

uri ldap://localhost ldaps://localhost:636

pam_password smd5

ldap_version 3

pam_filter      objectclass=posixAccount

pam_login_attribute uid

pam_member_attribute memeberuid

nss_base_passwd ou=people,dc=mspradling,dc=com

nss_base_shadow ou=people,dc=mspradling,dc=com

nss_base_group  ou=groups,dc=mspradling,dc=com

scope one

```

/etc/openldap/ldap.conf

```

BASE            dc=mspradling,dc=com

URI             ldap://localhost ldaps://localhost

TLS_REQCERT     never

```

/etc/openldap/slap.conf ACLS

```

access to *

        by users read

        by anonymous read

access to attrs=userPassword,description,loginShell,givenName

        by anonymous auth

        by self write

        by * none

```

[/code]

/var/log/syslog

```

Apr 25 22:44:04 mspradling slapd[18572]: conn=34 fd=11 ACCEPT from IP=127.0.0.1:37078 (IP=0.0.0.0:389)

Apr 25 22:44:04 mspradling slapd[18572]: conn=34 fd=11 closed

Apr 25 22:44:04 mspradling slapd[18572]: conn=35 fd=11 ACCEPT from IP=127.0.0.1:45475 (IP=0.0.0.0:636)

Apr 25 22:44:04 mspradling slapd[3609]: conn=35 op=0 BIND dn="" method=128

Apr 25 22:44:04 mspradling slapd[3609]: conn=35 op=0 RESULT tag=97 err=0 text=

Apr 25 22:44:04 mspradling slapd[23493]: conn=35 op=1 SRCH base="ou=people,dc=mspradling,dc=com" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=clendenb))"

Apr 25 22:44:04 mspradling slapd[23493]: conn=35 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

Apr 25 22:44:04 mspradling slapd[23493]: conn=35 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

Apr 25 22:44:04 mspradling slapd[3609]: conn=35 op=2 SRCH base="ou=people,dc=mspradling,dc=com" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uid=clendenb))"

Apr 25 22:44:04 mspradling slapd[3609]: conn=35 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

Apr 25 22:44:04 mspradling slapd[3609]: conn=35 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=

Apr 25 22:44:04 mspradling passwd(pam_unix)[3148]: user "clendenb" does not exist in /etc/passwd

Apr 25 22:44:04 mspradling slapd[18572]: conn=36 fd=16 ACCEPT from IP=127.0.0.1:45271 (IP=0.0.0.0:389)

Apr 25 22:44:04 mspradling slapd[18572]: conn=36 fd=16 closed

Apr 25 22:44:04 mspradling slapd[18572]: conn=37 fd=16 ACCEPT from IP=127.0.0.1:47837 (IP=0.0.0.0:636)

Apr 25 22:44:04 mspradling slapd[23493]: conn=37 op=0 BIND dn="" method=128

Apr 25 22:44:04 mspradling slapd[23493]: conn=37 op=0 RESULT tag=97 err=0 text=

Apr 25 22:44:04 mspradling slapd[3609]: conn=37 op=1 SRCH base="ou=people,dc=mspradling,dc=com" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=clendenb))"

Apr 25 22:44:04 mspradling slapd[3609]: conn=37 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

Apr 25 22:44:06 mspradling slapd[23493]: conn=37 op=2 BIND dn="cn=Brian Clendening,ou=people,dc=mspradling,dc=com" method=128

Apr 25 22:44:06 mspradling slapd[23493]: conn=37 op=2 BIND dn="cn=Brian Clendening,ou=people,dc=mspradling,dc=com" mech=SIMPLE ssf=0

Apr 25 22:44:06 mspradling slapd[23493]: conn=37 op=2 RESULT tag=97 err=0 text=

Apr 25 22:44:06 mspradling slapd[3609]: conn=37 op=3 BIND anonymous mech=implicit ssf=0

Apr 25 22:44:06 mspradling slapd[3609]: conn=37 op=3 BIND dn="" method=128

Apr 25 22:44:06 mspradling slapd[3609]: conn=37 op=3 RESULT tag=97 err=0 text=

Apr 25 22:44:10 mspradling slapd[23493]: conn=35 op=3 SRCH base="ou=people,dc=mspradling,dc=com" scope=1 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=1002))"

Apr 25 22:44:10 mspradling slapd[23493]: conn=35 op=3 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass

Apr 25 22:44:10 mspradling slapd[23493]: conn=35 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=

Apr 25 22:44:12 mspradling passwd(pam_unix)[3148]: user "clendenb" does not exist in /etc/passwd

Apr 25 22:44:12 mspradling slapd[3609]: conn=37 op=4 BIND dn="cn=Brian Clendening,ou=people,dc=mspradling,dc=com" method=128

Apr 25 22:44:12 mspradling slapd[3609]: conn=37 op=4 BIND dn="cn=Brian Clendening,ou=people,dc=mspradling,dc=com" mech=SIMPLE ssf=0

Apr 25 22:44:12 mspradling slapd[3609]: conn=37 op=4 RESULT tag=97 err=0 text=

Apr 25 22:44:12 mspradling slapd[23493]: conn=37 op=5 MOD dn="cn=Brian Clendening,ou=people,dc=mspradling,dc=com"

Apr 25 22:44:12 mspradling slapd[23493]: conn=37 op=5 MOD attr=userPassword

Apr 25 22:44:12 mspradling slapd[23493]: conn=37 op=5 RESULT tag=103 err=50 text=

Apr 25 22:44:12 mspradling passwd[3148]: pam_ldap: ldap_modify_s Insufficient access

Apr 25 22:44:12 mspradling slapd[18572]: conn=35 fd=11 closed

Apr 25 22:44:12 mspradling slapd[3609]: conn=37 op=6 UNBIND

Apr 25 22:44:12 mspradling slapd[3609]: conn=37 fd=16 closed

```

Thanks if anyone can help

----------

## expat_iain

What's in /etc/nsswitch.conf?

Regs.

Iain.

----------

## Janne Pikkarainen

 *M1Sports20 wrote:*   

> 
> 
> /etc/openldap/slap.conf ACLS
> 
> ```
> ...

 

Maybe you should swap those? If my memory serves me right, slapd stops searching for ACL's after the first match, so currently your setup provides a read-only access. Try to put it this way:

```
access to attrs=userPassword,description,loginShell,givenName

        by anonymous auth

        by self write

        by * none

access to *

        by users read

        by anonymous read
```

Then restart your slapd and hope for the best.

----------

## M1Sports20

# /etc/nsswitch.conf:

#

```
 $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/files/nsswitch.conf,v 1.1 2005/05/17 00:52:41 vapier Exp $

#MS +diff

passwd:      ldap files

shadow:      ldap files

group:       ldap files

#MS -diff

#passwd:      compat

#shadow:      compat

#group:       compat

# passwd:    db files nis

# shadow:    db files nis

# group:     db files nis

hosts:       files dns

networks:    files dns

services:    db files

protocols:   db files

rpc:         db files

ethers:      db files

netmasks:    files

netgroup:    files

bootparams:  files

automount:   files

aliases:     files

```

----------

## M1Sports20

The tip in the above post worked

Thanks, didn't know thats how LDAP worked

----------

## M1Sports20

sorry for the multiposts

The above solution does work for changing passwords.  Although now users can't log in

----------

## Janne Pikkarainen

Try this at first, so we see if previous by * none was nagging users.

```
access to attrs=userPassword,description,loginShell,givenName 

         by anonymous auth 

         by self write 

 

access to * 

         by users read 

         by anonymous read
```

----------

## M1Sports20

yep that worked

----------

