This is my setup:
Server: Openldap 2.4.39 installed on RHEL7
Ldap clients: RHEL7 and RHEL5
I set up this directive on the ldap clients (/etc/sssd/sssd.conf) to prevent users with expired accounts to login: ldap_pwd_policy = shadow. This works as expected.
Now I need to allow users to reset their ldap password after logging in to an ldap client. This is what is logged when a user attempts to reset their password using passwd:
rhel7 ldap client:
# passwd
Changing password for user real
Current password:
New password:
Retype new password:
passwd: Authentication token manipulation error
rhel7 ldap server: /var/log/secure
pam_unix(passwd:chauthtok): user “real” does not exist in the /etc/passwd
pam_sss(passwd:chauthtok): Password change failed for user real: 28
(Module is unknown)
Gkr-pam: couldn’t update the login keyring password: no old password was
Entered
In an attempt to allow users to change their ldap password, i edited my ACL on the ldap server and added 'shadowLastChange':
dn: olcDatabase={2}hdb,cn=config
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn.base="cn=Alien,dc=cluster,dc=sec312" write by anonymous auth by * none
olcAccess: {1}to * by self write by dn.base="cn=Alien,dc=cluster,dc=sec312" write by * read
However that did not work, on the ldap clients I get this on the logs:
pam_unix(sshd:auth): authentication failure
pam_sss(sshd:auth): authentication failure
pam_sss(sshd:auth): received for user reaL 4 (System error)
This is the /etc/pam.d/system-auth file on the rhel7 ldap client:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 authtok_type=
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
~
What other directive do I need to set to allow users to reset their ldap password when they call passwd?
Thank you,
Liz