Mailinglist Archive: opensuse-security (228 mails)

< Previous Next >
password change from LDAP client (pwdutils and shadow RPMs)
  • From: Prakash Velayutham <prakash.velayutham@xxxxxxxxx>
  • Date: Thu, 17 Mar 2005 15:18:28 -0500
  • Message-id: <4239E614.9@xxxxxxxxx>
Hi,

I have already sent this question to openldap-software mailing list. There seems to be a whole lot of package changes between 9.0 and 9.1 SuSE Pro, that I thought of posting this here too to get experts' opinions.
I have a OpenLDAP server (openldap2-2.1.22-65 RPM version) running on a SuSE Pro 9.0 server (Kernel 2.4.21-192). There are different clients connecting to this server for authentication (a mix of SuSE Pro 9.0 and 9.1 systems).

I have the following packages in the 9.0 clients:
pam_ldap-164-42
nss_ldap-207-80
openldap2-client-2.1.22-65

and the following in the 9.1 clients:
pam_ldap-169-24
nss_ldap-215-55
openldap2-client-2.2.6-34

I want the users to be able to change their own passwords using the "passwd" command. Here are the scenarios:
In the server slapd.conf, I have the following ACLs,
access to attrs=userPassword
by self write
by anonymous auth
by dn="cn=Manager,o=tchrf,c=us" write
by * none
access to attrs=shadowLastChange
by dn="cn=Manager,o=tchrf,c=us" write
by self write
by * auth
access to * by * read

I also have the "password-hash {SSHA}" option.

In all the clients, I have "pam_password exop" enabled. I am able to do the passwd change successfully from the 9.0 systems, but not from the 9.1 systems. The /var/log/messages shows an error like the following:

pam_ldap: ldap_extended_operation_s Server is unwilling to perform

Please help. If you need more info, please ask.

Thanks,
Prakash

< Previous Next >
This Thread
  • No further messages