Am 09.03.2009 15:00, Gustavo Mendes de Carvalho schrieb:

Hi there,

I'm running an LDAP server version 2.3.39 and I'm using ppolicy to force users in some specific things, but I'm having some issue when I try to change my user's password with passwd command.

Here's the output screen

[user1@cliserv ~]$ ssh ldapclisrv user1@ldapclisrv's password: Your LDAP password will expire in 10 days.

WOW! How did u do that ? my debian doesnt warn my users like that. What Distribution are u using here? Or is this some custom made login script ?

Last login: Wed Mar 4 17:42:18 2009 from cliserv [user1@ldapclisrv ~]$ [user1@ldapclisrv ~]$ [user1@ldapclisrv ~]$ passwd Changing password for user user1. Enter login(LDAP) password: New UNIX password: Retype new UNIX password: LDAP password information update failed: Can't contact LDAP server Must supply old password to be changed as well as new one passwd: Permission denied [user1@ldapclisrv ~]$

As you can see, I can login using LDAP ID, and I can change user1 password if I use ldappasswd, entering all ldap information, but I would like to make it simpler.

the PAM Stacks at /etc/pam.d/common-* are very important. a misconfiguration there can lead to such situations. if happends on password change only and if ldap account is still "valid" it may be the /etc/pam.d/common-password file.

please post all your common-* PAM files here including your /etc/pam.d/passwd if available.

l8r Axel