At Wed, 20 Sep 2017 09:09:23 +0200 =?UTF-8?Q?Cl=c3=a9ment_OUDOT?= clement.oudot@savoirfairelinux.com wrote:
Le 19/09/2017 =C3=A0 18:45, Robert Heller a =C3=A9crit :
I am having a hard time setting a user password using ldap (OpenLDAP 2.4.40-13.el7) on a CentOS 7 system.
I have installed OpenLDAP 2.4.40-13.el7 (stock CentOS 7 server and clie=
nt),
nss-pam-ldapd (0.8.13-8.el7) and used authconfig to enable ldap. I have created a user in the ldap database, and getent works just fine -- the =
uid and
gid are seen, etc. But I cannot set the user's password in a way that w=
orks
for su (and presumably login/slogin, etc.). I am using ldappasswd to s=
et the
user's password.
I am thinking that PAM and ldappasswd are using *different* oneway encr=
yption
methods and I am guessing I need to update a configuration somewhere (e=
ither
for pam, sssd, or nslcd), but I am not finding it.
PAM is an LDAP client so does not read the password, it just sends BIND=20 requests and OpenLDAP server then check the passsword by using the=20 hashing method corresponding to the current password value.
Can you check in your server ACLs (olcAccess parameter) that anonymous=20 users have the 'auth' right on userPassword attribute?
OK, I will check...
--=20 Cl=C3=A9ment OUDOT Consultant en logiciels libres, Expert infrastructure et s=C3=A9curit=C3=A9 Savoir-faire Linux 137 boulevard de Magenta - 75010 PARIS Blog: http://sflx.ca/coudot