I am unable to change users passwords as themselves.  When a user tries to change their password, they get and error invalid credentials(49).  I have tried every option of changing the acl’s to allow them to bind and change it but nothing has worked.  Any help would be appreciated.  Here is my slapd.conf and the command I am trying to use to change the password.

 

ldappasswd -x -D "uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com" -w tt#12345 -s new#1234 uid=user1,ou=users,ou=employees,ou=users,dc=example,dc=com

 

 

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include         /usr/local/etc/openldap/schema/core.schema

include         /usr/local/etc/openldap/schema/cosine.schema

include         /usr/local/etc/openldap/schema/nis.schema

include         /usr/local/etc/openldap/schema/inetorgperson.schema

include         /usr/local/etc/openldap/schema/misc.schema

# Define global ACLs to disable default read access.

 

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral       ldap://root.openldap.org

 

pidfile         /usr/local/var/run/slapd.pid

argsfile        /usr/local/var/run/slapd.args

 

# Load dynamic backend modules:

# modulepath    /usr/local/libexec/openldap

# moduleload    back_bdb.la

# moduleload    back_ldap.la

# moduleload    back_ldbm.la

# moduleload    back_passwd.la

# moduleload    back_shell.la

 

#tru64 bind

allow bind_v2

 

# Sample security restrictions

#       Require integrity protection (prevent hijacking)

#       Require 112-bit (3DES or better) encryption for updates

#       Require 63-bit encryption for simple bind

# security ssf=1 update_ssf=112 simple_bind=64

 

TLSCACertificateFile /usr/local/etc/openldap/cacert.pem

TLSCertificateFile /usr/local/etc/openldap/servercrt.pem

TLSCertificateKeyFile /usr/local/etc/openldap/serverkey.pem

 

# Sample access control policy:

#       Root DSE: allow anyone to read it

#       Subschema (sub)entry DSE: allow anyone to read it

#       Other DSEs:

#               Allow self write access

#               Allow authenticated users read access

#               Allow anonymous users to authenticate

#       Directives needed to implement policy:

# access to dn.base="" by * read

## access to dn.base="cn=Subschema" by * read

 

access to * by self write by * read

 

# if no access controls are present, the default policy

# allows anyone and everyone to read anything but restricts

# updates to rootdn.  (e.g., "access to * by * read")

#

# rootdn can always read and write EVERYTHING!

 

#######################################################################

# BDB database definitions

#######################################################################

 

database        bdb

suffix          "dc=example,dc=com"

rootdn          "cn=Manager,dc=example,dc=com"

# Cleartext passwords, especially for the rootdn, should

# be avoid.  See slappasswd(8) and slapd.conf(5) for details.

# Use of strong authentication encouraged.

rootpw          {SSHA}OIbjYF+qgnf6+yiF+QvFMKhUONMmRp1q

# The database directory MUST exist prior to running slapd AND

# should only be accessible by the slapd and slap tools.

# Mode 700 recommended.

directory       /usr/local/var/openldap-data

# Indices to maintain

index   objectClass     eq

index   cn,uid          eq

index   uidNumber       eq

index   gidNumber       eq

index   userPassword    eq

#logging

loglevel 512

#cache size

cachesize       2000