I'm trying to log into an LDAP client. Below I show a login from the ldap server to the ldap client, and another from a normal workstation on the same subnet to the ldap client. The workstation is able to login, but am not able to login from the ldap server.
 
server: OpenLDAP 2.4.43
clients: nss-pam-ldapd 0.9.6
 
Any help much appreciated.
 
--- from ldap server to ldap client (fails)
$ ssh -l james 10.0.1.2
Enter passphrase for key '/home/james/.ssh/id_rsa':
You are required to change your password immediately (root enforced)
WARNING: Your password has expired.
You must change your password now and login again!
New password:
Retype new password:
password change failed: Server is unwilling to perform
passwd: password updated successfully
Connection to 10.0.1.2 closed.
 
 
--- from worstation to ldap client (succeeds)
$ ssh node-2
Password:
You are required to change your password immediately (root enforced)
need a new password
New password:
Retype new password:
password change failed: Insufficient access
node-2(james):~$
 
 
 
$ ldapsearch -x -b 'dc=my,dc=example,dc=com' '(objectclass=*)'
# extended LDIF
#
# LDAPv3
# base <dc=my,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
 
# my.example.com
dn: dc=my,dc=example,dc=com
dc: cem
objectClass: dcObject
objectClass: organization
o: CEM
 
# manager, my.example.com
dn: cn=manager,dc=my,dc=example,dc=com
objectClass: organizationalRole
cn: Manager
description: LDAP Admin
 
# groups, my.example.com
dn: ou=groups,dc=my,dc=example,dc=com
ou: groups
description: Groups
objectClass: organizationalUnit
 
# users, my.example.com
dn: ou=users,dc=my,dc=example,dc=com
ou: users
description: Users
objectClass: organizationalUnit
 
# james, groups, my.example.com
dn: cn=james,ou=groups,dc=my,dc=example,dc=com
cn: james
objectClass: top
objectClass: posixGroup
gidNumber: 1000
 
# james, users, my.example.com
dn: uid=james,ou=users,dc=my,dc=example,dc=com
cn: James
uid: james
uidNumber: 1000
gidNumber: 1000
sn: James
homeDirectory: /home/james
mail: james@example.com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
gecos: james
shadowLastChange: 0
userPassword:: e1NTSEF9ZjhRMGwwaDk1ek9mMUViaDhreDNlUEsvdFhFb29wV3I=
shadowMax: 9999
shadowWarning: 14
 
# search result
search: 2
result: 0 Success
 
# numResponses: 7
# numEntries: 6
 
 
/etc/pam.d/system-auth
---
auth            required        pam_env.so
auth            sufficient      pam_unix.so try_first_pass likeauth nullok
auth            sufficient      pam_ldap.so use_first_pass
auth            required        pam_deny.so
 
account         required        pam_unix.so
account         [default=bad success=ok user_unknown=ignore]   pam_ldap.so  
account         optional        pam_permit.so
 
password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password        sufficient      pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password        sufficient      pam_ldap.so use_authtok use_first_pass
password        optional        pam_permit.so
 
session         required        pam_limits.so
session         required        pam_env.so
session         optional        pam_ldap.so
session         required        pam_unix.so
session         optional        pam_permit.so