Am Mon, 20 Jan 2014 19:48:40 -0700 schrieb Joshua Schaeffer jschaeffer0922@gmail.com:
Thanks for the explanation that really helped, I didn't know about the '+'and was able to see some ppolicy operational attributes on my uid. I read the slapo-ppolicy manual page and that also helped clarified a few things. You stated user's being able to change their own password depended on access rights. These are the access rights I have in my database. Are these correct to allow user's to change their password:
=================================================== root@baneling:~# ldapsearch -Y EXTERNAL -H ldapi:/// -b olcDatabase={1}hdb,cn=config olcAccess SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <olcDatabase={1}hdb,cn=config> with scope subtree # filter: (objectclass=*) # requesting: olcAccess #
# {1}hdb, config dn: olcDatabase={1}hdb,cn=config olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou s auth by dn="cn=admin,dc=harmonywave,dc=com" write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by self write by dn="cn=admin,dc=harmonywave,dc=com" write by * read
# {0}ppolicy, {1}hdb, config dn: olcOverlay={0}ppolicy,olcDatabase={1}hdb,cn=config
# search result search: 2 result: 0 Success
# numResponses: 3
# numEntries: 2
I've been fiddling with my setup to see if I can't get it to work. I read that you need to tell PAM on the client server to do a lookup for password policies using 'pam_lookup_policy yes' in the /etc/pam_ldap.conf file. I was using libpam-ldapd instead of libpam-ldap which doesn't use the pam_ldap.conf file for its configuration (I shares its config file with libnss-ldapd which is the /etc/nslcd.conf file). I uninstalled libpam-ldapd and installed libpam-ldap instead, adjusted the config file, and I appears to be getting a little further. Now when I try to change my password on a client server I get the following:
=================================================== jschaeffer@defiler:~$ passwd Enter login(LDAP) password: New password: Re-enter new password: LDAP password information update failed: Insufficient access Must supply old password to be changed as well as new one passwd: Permission denied passwd: password unchanged ===================================================
I'm not sure why it wouldn't recognized that I did enter my previous password before I attempted to change it.
[...]
Run slapd(8) in debuging mode with -d acl
-Dieter