Hi guys,
my ldapserver works fine now, but the first users are arriving. The normal user should change their own password. So, everyone thinks of passwd in the shell.
But: LDAP password information update failed: Insufficient access Must supply old password to be changed as well as new one
Here is my ACL:
olcAccess: {0} to attrs=pwdChangedTime,pwdAccountLockedTime,pwdFailureTime,pwdH istory,pwdGraceUseTime,pwdReset by * none
olcAccess: {1}to attrs=userPassword by self write by * auth
olcAccess: {2}to attrs=shadowLastChange by self write by dn.base="cn=BINDUSER,dc=MY,dc=DC" read by users read by * auth
olcAccess: {3}to attrs=userPKCS12 by self read by * none
olcAccess: {4}to * by dn.base="cn=BINDUSER,dc=MY,dc=DC" read by * none
I tried the same with olcAccess: {4}to * by * read
and allowing anonymous binds, but same error. passwd seems to try to bind with the binduser and then to read and to write the userPassword, but only has auth access.
Has anyone an idea how to enable this?
Thanks a lot. Holger
Hey, have you took a look into your syslog messages and enabled logging in your slapd config?
bye.
On Thu, Dec 2, 2010 at 15:26, Holger Schier hschier@mathematik.uni-mainz.de wrote:
Hi guys,
my ldapserver works fine now, but the first users are arriving. The normal user should change their own password. So, everyone thinks of passwd in the shell.
But: LDAP password information update failed: Insufficient access Must supply old password to be changed as well as new one
Here is my ACL:
olcAccess: {0} to attrs=pwdChangedTime,pwdAccountLockedTime,pwdFailureTime,pwdH istory,pwdGraceUseTime,pwdReset by * none
olcAccess: {1}to attrs=userPassword by self write by * auth
olcAccess: {2}to attrs=shadowLastChange by self write by dn.base="cn=BINDUSER,dc=MY,dc=DC" read by users read by * auth
olcAccess: {3}to attrs=userPKCS12 by self read by * none
olcAccess: {4}to * by dn.base="cn=BINDUSER,dc=MY,dc=DC" read by * none
I tried the same with olcAccess: {4}to * by * read
and allowing anonymous binds, but same error. passwd seems to try to bind with the binduser and then to read and to write the userPassword, but only has auth access.
Has anyone an idea how to enable this?
Thanks a lot. Holger
On Thursday, 2 December 2010 15:26:47 Holger Schier wrote:
Hi guys,
my ldapserver works fine now, but the first users are arriving.
Can you provide some configuration details? E.g., /etc/pam.d/passwd and any other pam files it includes or stacks.
The normal user should change their own password. So, everyone thinks of passwd in the shell.
But: LDAP password information update failed: Insufficient access Must supply old password to be changed as well as new one
Here is my ACL:
olcAccess: {0} to attrs=pwdChangedTime,pwdAccountLockedTime,pwdFailureTime,pwdH istory,pwdGraceUseTime,pwdReset by * none
olcAccess: {1}to attrs=userPassword by self write by * auth
olcAccess: {2}to attrs=shadowLastChange by self write by dn.base="cn=BINDUSER,dc=MY,dc=DC" read by users read by * auth
olcAccess: {3}to attrs=userPKCS12 by self read by * none
olcAccess: {4}to * by dn.base="cn=BINDUSER,dc=MY,dc=DC" read by * none
I tried the same with olcAccess: {4}to * by * read
and allowing anonymous binds, but same error. passwd seems to try to bind with the binduser and then to read and to write the userPassword, but only has auth access.
Are you using pam_ldap with rootbinddn? pam_ldap makes some stupid assumptions if you use rootbinddn. rootbinddn is used for two different reasons: -allow you to hide the password (in /etc/ldap.secret, which doesn't need to be world readable) -allow the root user to change the password of LDAP users without knowing their LDAP password
IMHO, these should be two separate concepts. I would like to be able to secure to some degree the host's access to the DSA (even in environments without GSSAPI available), but I also don't want to give the host elevated privileges in the DIT ...
See function _update_authtok around line 2967 of pam_ldap.c
Regards, Buchan
openldap-technical@openldap.org