Hi list, I'm using CentOs 6.4, and moved user management to OpenLDAP. As far as it works fine for user - user can login, do `passwd` to change his password, etc. - it fails for root to change users passwords. Root have to use ldapmodify. Is it normal behavior, or do I have some configuration errors?
For now, LDAP ACL was "turned off" - every user has manage permission. I know it's a security issue, but I wanted to remove potential interference. I will change this as soon as root can change users password. SELlinux was also turned off to eliminate it's potential interference. Iptables was "turned off", as well, though I thing it doesn't matter as long as port 389 is open.
My configs, logs, etc are in here: http://fpaste.org/26708/ Thanks in advance, Augustyn
Root has to use ldappasswd to change users' passwords.
On 20/07/2013 14:59, Augustin Wolf wrote:
Hi list, I'm using CentOs 6.4, and moved user management to OpenLDAP. As far as it works fine for user - user can login, do `passwd` to change his password, etc. - it fails for root to change users passwords. Root have to use ldapmodify. Is it normal behavior, or do I have some configuration errors?
For now, LDAP ACL was "turned off" - every user has manage permission. I know it's a security issue, but I wanted to remove potential interference. I will change this as soon as root can change users password. SELlinux was also turned off to eliminate it's potential interference. Iptables was "turned off", as well, though I thing it doesn't matter as long as port 389 is open.
My configs, logs, etc are in here: http://fpaste.org/26708/ Thanks in advance, Augustyn
To read FirstRand Bank's Disclaimer for this email click on the following address or copy into your Internet browser: https://www.fnb.co.za/disclaimer.html
If you are unable to access the Disclaimer, send a blank e-mail to firstrandbankdisclaimer@fnb.co.za and we will send you a copy of the Disclaimer.
I believe you can use the rootbinddn feature in pam_ldap.conf to allow the root user the ability to change other users' passwords via the passwd command, although it requires you to store rootbinddn's authentication info on the system which could constitute a security risk. See pam_ldap(5) for more info.
-Michael Proto
On Sat, Jul 20, 2013 at 8:59 AM, Augustin Wolf augustynwilk@gmail.comwrote:
Hi list, I'm using CentOs 6.4, and moved user management to OpenLDAP. As far as it works fine for user - user can login, do `passwd` to change his password, etc. - it fails for root to change users passwords. Root have to use ldapmodify. Is it normal behavior, or do I have some configuration errors?
For now, LDAP ACL was "turned off" - every user has manage permission. I know it's a security issue, but I wanted to remove potential interference. I will change this as soon as root can change users password. SELlinux was also turned off to eliminate it's potential interference. Iptables was "turned off", as well, though I thing it doesn't matter as long as port 389 is open.
My configs, logs, etc are in here: http://fpaste.org/26708/ Thanks in advance, Augustyn
On 22 July 2013 18:14, Michael Proto michael.proto@tstllc.net wrote:
I believe you can use the rootbinddn feature in pam_ldap.conf to allow the
rootbinddn is set in pam_ldap.conf and sadly it doesn't work. I got it set to LDAP admin DN (the same as rootdn in slapd.conf). This user has more privilages (manage permission to all LDAP attributes)>
On 22 July 2013 14:57, Cooper, Tom TCooper@fnb.co.za wrote:
Root has to use ldappasswd to change users' passwords.
I head to integrate user database with Kerberos. I'm guessing that ldappaswd doesn't support Kerberos attributes. Does root have to change password with use of two systems: one for ldap another for Kerberos? Does root really has to do double work to change all tokens? Without it there might be passwords mismatch. Different password for Kerberos and different for LDAP.
-Michael Proto
In my struggle with this issue, I noticed, that when I add to /etc/sssd/sssd.conf : ldap_sasl_mech = GSSAPI ldap_sasl_authid = root/admin ldap_sasl_realm = EXAMPLE.COM the error message is different: [root@ldap ~]# passwd test Changing password for user test. System is offline, password change not possible passwd: Authentication token manipulation error ==> /var/log/secure <== Jun 25 16:27:35 ldap passwd: pam_sss(passwd:chauthtok): Authentication failed for user test: 20 (Authentication token manipulation error)
thx for reply guys.
My configs, logs, etc are in here: http://fpaste.org/26708/
Answer: you cannot change password using passwd, as sssd doesn't support such feature. There might be change to sss_ldap.so to prompt for ldap admin DN and password, but ldapasswd and kpasswd are considered sufficient tools.
For more info see this thread: https://lists.fedoraproject.org/pipermail/users/2013-July/438605.html.
On 22 July 2013 22:08, Augustin Wolf augustynwilk@gmail.com wrote:
On 22 July 2013 18:14, Michael Proto michael.proto@tstllc.net wrote:
I believe you can use the rootbinddn feature in pam_ldap.conf to allow the
rootbinddn is set in pam_ldap.conf and sadly it doesn't work. I got it set to LDAP admin DN (the same as rootdn in slapd.conf). This user has more privilages (manage permission to all LDAP attributes)>
On 22 July 2013 14:57, Cooper, Tom TCooper@fnb.co.za wrote:
Root has to use ldappasswd to change users' passwords.
I head to integrate user database with Kerberos. I'm guessing that ldappaswd doesn't support Kerberos attributes. Does root have to change password with use of two systems: one for ldap another for Kerberos? Does root really has to do double work to change all tokens? Without it there might be passwords mismatch. Different password for Kerberos and different for LDAP.
-Michael Proto
In my struggle with this issue, I noticed, that when I add to /etc/sssd/sssd.conf : ldap_sasl_mech = GSSAPI ldap_sasl_authid = root/admin ldap_sasl_realm = EXAMPLE.COM the error message is different: [root@ldap ~]# passwd test Changing password for user test. System is offline, password change not possible passwd: Authentication token manipulation error ==> /var/log/secure <== Jun 25 16:27:35 ldap passwd: pam_sss(passwd:chauthtok): Authentication failed for user test: 20 (Authentication token manipulation error)
thx for reply guys.
My configs, logs, etc are in here: http://fpaste.org/26708/
openldap-technical@openldap.org
-
Augustin Wolf -
Cooper, Tom -
Michael Proto