Hi, I'm confused about ldap authentication. I'm attempting to use ldap with kerberos 5, when changing an user's password, I issused:
user1]$ passwd Kerberos 5 Password: ****** New UNIX password: ****** Retype new UNIX password: ******
All things go well, however, still have a password don't change, and I don't know what this password is. And how to change it. Still that user, I can't use 'ldappasswd'
user1]$ ldappasswd SASL/GSSAPI authentication started SASL username: user1@MYREALM.COM SASL SSF: 56 SASL installing layers New password: yPYNAgvO <--- this changes frequently Result: Internal (implementation specific) error (80) Additional info: SASL(-7): invalid parameter supplied: Error putting OTP secret
I should emphasize that the user1 has two passwords, the first one can be changed with 'passwd' or 'kpasswd', the other I don't know how to access it, although this second password still works and it's can be used to login.
More information:
user1]$ passwd Kerberos 5 Password: <--- type a wrong password and got following (only the first password works here) Enter login(LDAP) password: <--- the second password works here New UNIX password: ****** Retype new UNIX password: ****** LDAP password information update failed: Insufficient access
passwd: Permission denied
Best Regards.
Le Trung Kien wrote:
I'm attempting to use ldap with kerberos 5,
What does that mean? Is your KDC using OpenLDAP as backend-database or are you just using Kerberos tickets to authenticate against the LDAP server with SASL GSSAPI bind?
user1]$ passwd Kerberos 5 Password: ****** New UNIX password: ****** Retype new UNIX password: ******
This is related to your PAM configuration.
Ciao, Michael.
Hi, thank you for you reply I try to use Kerberos to authenticate some services support it. I want to use Kerberos for authentication and LDAP for authorization in my system. At current step I can allow users to login using LDAP, and users must get a ticket to use some LDAP's tools. And as you see, I'm confused a bit. That system have two passwords for an user and they just can change one of them. Two passwords can be used to login.
2008/1/30, Michael Ströder michael@stroeder.com:
Le Trung Kien wrote:
I'm attempting to use ldap with kerberos 5,
What does that mean? Is your KDC using OpenLDAP as backend-database or are you just using Kerberos tickets to authenticate against the LDAP server with SASL GSSAPI bind?
user1]$ passwd Kerberos 5 Password: ****** New UNIX password: ****** Retype new UNIX password: ******
This is related to your PAM configuration.
Ciao, Michael.
Le Trung Kien wrote:
I try to use Kerberos to authenticate some services support it.
Which is your KDC?
I want to use Kerberos for authentication and LDAP for authorization in my system. At current step I can allow users to login using LDAP, and users must get a ticket to use some LDAP's tools. And as you see, I'm confused a bit. That system have two passwords for an user and they just can change one of them. Two passwords can be used to login.
You should simply allow normal users to login via pam_krb5. So normal users would only need the Kerberos password.
Ciao, Michael.
Chào Michael, I have installed KDC server in same machine with LDAP server.
2008/2/25, Michael Ströder michael@stroeder.com:
You should simply allow normal users to login via pam_krb5. So normal users would only need the Kerberos password..
Thank you, your suggestion helps me understand more clearly the problem I have. I want to use Kerberos to authenticate LDAP service and use LDAP with pam_ldap module for both user's authentication and authorization. I don't know if it's possible. Could you suggest me how to do it ?
Thank you very much.
2008/2/26, Michael Ströder michael@stroeder.com:
And is the KDC database stored in the LDAP server?
Ciao, Michael.
I think my KDC database isn't stored in the LDAP server, because first I have installed KDC then I installed LDAP service. Is it right ? Help me please.
Le Trung Kien wrote:
2008/2/26, Michael Ströder <michael@stroeder.com mailto:michael@stroeder.com>:
And is the KDC database stored in the LDAP server?I think my KDC database isn't stored in the LDAP server, because first I have installed KDC then I installed LDAP service.
So your login password has nothing to do with the LDAP password and can't be synchronized. You really should dig deeper into how PAM, Kerberos and LDAP with SASL/GSSAPI etc. works. Might be a steep learning curve but there's no way around that.
Ciao, Michael.
openldap-technical@openldap.org
-
Le Trung Kien -
Michael Ströder