Answer: you cannot change password using passwd, as sssd doesn't support such feature. There might be change to sss_ldap.so to prompt for ldap admin DN and password, but ldapasswd and kpasswd are considered sufficient tools.
For more info see this thread: https://lists.fedoraproject.org/pipermail/users/2013-July/438605.html.
On 22 July 2013 22:08, Augustin Wolf augustynwilk@gmail.com wrote:
On 22 July 2013 18:14, Michael Proto michael.proto@tstllc.net wrote:
I believe you can use the rootbinddn feature in pam_ldap.conf to allow the
rootbinddn is set in pam_ldap.conf and sadly it doesn't work. I got it set to LDAP admin DN (the same as rootdn in slapd.conf). This user has more privilages (manage permission to all LDAP attributes)>
On 22 July 2013 14:57, Cooper, Tom TCooper@fnb.co.za wrote:
Root has to use ldappasswd to change users' passwords.
I head to integrate user database with Kerberos. I'm guessing that ldappaswd doesn't support Kerberos attributes. Does root have to change password with use of two systems: one for ldap another for Kerberos? Does root really has to do double work to change all tokens? Without it there might be passwords mismatch. Different password for Kerberos and different for LDAP.
-Michael Proto
In my struggle with this issue, I noticed, that when I add to /etc/sssd/sssd.conf : ldap_sasl_mech = GSSAPI ldap_sasl_authid = root/admin ldap_sasl_realm = EXAMPLE.COM the error message is different: [root@ldap ~]# passwd test Changing password for user test. System is offline, password change not possible passwd: Authentication token manipulation error ==> /var/log/secure <== Jun 25 16:27:35 ldap passwd: pam_sss(passwd:chauthtok): Authentication failed for user test: 20 (Authentication token manipulation error)
thx for reply guys.
My configs, logs, etc are in here: http://fpaste.org/26708/