I'm trying to log into an LDAP client. Below I show a login from the ldap server to the ldap client, and another from a normal workstation on the same subnet to the ldap client. The workstation is able to login, but am not able to login from the ldap server.
server: OpenLDAP 2.4.43 clients: nss-pam-ldapd 0.9.6
Any help much appreciated.
--- from ldap server to ldap client (fails) $ ssh -l james 10.0.1.2 Enter passphrase for key '/home/james/.ssh/id_rsa': You are required to change your password immediately (root enforced) WARNING: Your password has expired. You must change your password now and login again! New password: Retype new password: password change failed: Server is unwilling to perform passwd: password updated successfully Connection to 10.0.1.2 closed.
--- from worstation to ldap client (succeeds) $ ssh node-2 Password: You are required to change your password immediately (root enforced) need a new password New password: Retype new password: password change failed: Insufficient access node-2(james):~$
$ ldapsearch -x -b 'dc=my,dc=example,dc=com' '(objectclass=*)' # extended LDIF # # LDAPv3 # base <dc=my,dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# my.example.com dn: dc=my,dc=example,dc=com dc: cem objectClass: dcObject objectClass: organization o: CEM
# manager, my.example.com dn: cn=manager,dc=my,dc=example,dc=com objectClass: organizationalRole cn: Manager description: LDAP Admin
# groups, my.example.com dn: ou=groups,dc=my,dc=example,dc=com ou: groups description: Groups objectClass: organizationalUnit
# users, my.example.com dn: ou=users,dc=my,dc=example,dc=com ou: users description: Users objectClass: organizationalUnit
# james, groups, my.example.com dn: cn=james,ou=groups,dc=my,dc=example,dc=com cn: james objectClass: top objectClass: posixGroup gidNumber: 1000
# james, users, my.example.com dn: uid=james,ou=users,dc=my,dc=example,dc=com cn: James uid: james uidNumber: 1000 gidNumber: 1000 sn: James homeDirectory: /home/james mail: james@example.com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount loginShell: /bin/bash gecos: james shadowLastChange: 0 userPassword:: e1NTSEF9ZjhRMGwwaDk1ek9mMUViaDhreDNlUEsvdFhFb29wV3I= shadowMax: 9999 shadowWarning: 14
# search result search: 2 result: 0 Success
# numResponses: 7 # numEntries: 6
/etc/pam.d/system-auth --- auth required pam_env.so auth sufficient pam_unix.so try_first_pass likeauth nullok auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so
account required pam_unix.so account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account optional pam_permit.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow password sufficient pam_ldap.so use_authtok use_first_pass password optional pam_permit.so
session required pam_limits.so session required pam_env.so session optional pam_ldap.so session required pam_unix.so session optional pam_permit.so