Everything is setup on RHEL 6.4 with Openldap 2.4.
I have one provider and one consumer. StartTLS has been enabled and everything is working as intended. My only problem arises here - When a user is setup with a password and he tries to change his password on a consumer pointing client, I get a passwd: Authentication token manipulation error. This message is misleading since the password is in fact changed on the provider ( I have the olcUpdateRef directive setup). This creates a situation where the user can login to consumer pointed boxes with his old password and provider pointed boxes with his new password. If the user tries to change his password for the second time on consumer pointed boxes, I get Password change failed. Server message: unwilling to verify old password passwd: Authentication token manipulation error which understandably is because the password in the actual LDAP db is different from what is being supplied and being accepted by the client. What is going on here? Why isn’t the password not getting updated properly in the consumer?
Here are some of the relevant snippets of configs - For Syncrepl in olcDatabase={2}bdb.ldif on consumer
###For Replication
olcSyncrepl: rid=100
provider="ldap://server.com
type=refreshAndPersist
retry="60 30 300 +"
searchbase=“dc=ex,dc=example,dc=com"
bindmethod=simple
binddn="cn=Manager,dc=ex,dc=example,dc=com"
credentials=secret
starttls=yes
tls_cacert=/etc/pki/CA/cacert.pem
tls_cert=/etc/pki/tls/certs/cert.pem
tls_key=/etc/pki/tls/certs/key.pem
olcUpdateRef: ldap://server.com
ACL on provider -
lcAccess: to attrs=userPassword
by self write
by dn.base="cn=Manager,dc=ex,dc=example,dc=com" write
by anonymous auth
by * none
olcAccess: to *
by self write
by dn.base="cn=Manager,dc=ex,dc=example,dc=com" write
by users read
olcAccess: to attrs=entry
by dn.base="cn=Manager,dc=ex,dc=example,dc=com" write
by * read
Let me know if any more configs are needed and I will post them. Any help is appreciated.
Siddharth Choure Senior Systems Engineer