I'm trying to log into an LDAP client. Below I show a login from the ldap server to the ldap client, and another from a normal workstation on the same subnet to the ldap client. The workstation is able to login, but am not able to login from the ldap server.

 

server: OpenLDAP 2.4.43

clients: nss-pam-ldapd 0.9.6

 

Any help much appreciated.

 

--- from ldap server to ldap client (fails)

$ ssh -l james 10.0.1.2

Enter passphrase for key '/home/james/.ssh/id_rsa':

You are required to change your password immediately (root enforced)

WARNING: Your password has expired.

You must change your password now and login again!

New password:

Retype new password:

password change failed: Server is unwilling to perform

passwd: password updated successfully

Connection to 10.0.1.2 closed.

 

 

--- from worstation to ldap client (succeeds)

$ ssh node-2

Password:

You are required to change your password immediately (root enforced)

need a new password

New password:

Retype new password:

password change failed: Insufficient access

node-2(james):~$

 

 

 

$ ldapsearch -x -b 'dc=my,dc=example,dc=com' '(objectclass=*)'

# extended LDIF

#

# LDAPv3

# base <dc=my,dc=example,dc=com> with scope subtree

# filter: (objectclass=*)

# requesting: ALL

#

 

# my.example.com

dn: dc=my,dc=example,dc=com

dc: cem

objectClass: dcObject

objectClass: organization

o: CEM

 

# manager, my.example.com

dn: cn=manager,dc=my,dc=example,dc=com

objectClass: organizationalRole

cn: Manager

description: LDAP Admin

 

# groups, my.example.com

dn: ou=groups,dc=my,dc=example,dc=com

ou: groups

description: Groups

objectClass: organizationalUnit

 

# users, my.example.com

dn: ou=users,dc=my,dc=example,dc=com

ou: users

description: Users

objectClass: organizationalUnit

 

# james, groups, my.example.com

dn: cn=james,ou=groups,dc=my,dc=example,dc=com

cn: james

objectClass: top

objectClass: posixGroup

gidNumber: 1000

 

# james, users, my.example.com

dn: uid=james,ou=users,dc=my,dc=example,dc=com

cn: James

uid: james

uidNumber: 1000

gidNumber: 1000

sn: James

homeDirectory: /home/james

mail: james@example.com

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

objectClass: posixAccount

objectClass: shadowAccount

loginShell: /bin/bash

gecos: james

shadowLastChange: 0

userPassword:: e1NTSEF9ZjhRMGwwaDk1ek9mMUViaDhreDNlUEsvdFhFb29wV3I=

shadowMax: 9999

shadowWarning: 14

 

# search result

search: 2

result: 0 Success

 

# numResponses: 7

# numEntries: 6

 

 

/etc/pam.d/system-auth

---

auth            required        pam_env.so

auth            sufficient      pam_unix.so try_first_pass likeauth nullok

auth            sufficient      pam_ldap.so use_first_pass

auth            required        pam_deny.so

 

account         required        pam_unix.so

account         [default=bad success=ok user_unknown=ignore]   pam_ldap.so  

account         optional        pam_permit.so

 

password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3

password        sufficient      pam_unix.so try_first_pass use_authtok nullok sha512 shadow

password        sufficient      pam_ldap.so use_authtok use_first_pass

password        optional        pam_permit.so

 

session         required        pam_limits.so

session         required        pam_env.so

session         optional        pam_ldap.so

session         required        pam_unix.so