FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 04-01-2011, 03:50 PM
Judith Flo Gaya
 
Default help with ldap

Hello,

I'm trying for some days to get an ldap server working, but I'm stuck
with some issues ;( Some of them, I just worked them around, but there's
one I can't deal with, I can get a user to change it's password in a
client machine.

This is a RHEL 6 server with
compat-openldap-2.4.19_2.3.43-15.el6.x86_64
openldap-devel-2.4.19-15.el6.x86_64
openldap-2.4.19-15.el6.x86_64
openldap-servers-2.4.19-15.el6.x86_64
openldap-clients-2.4.19-15.el6.x86_64

the slapd.conf interesting part:
access to attrs=userPassword,shadowLastChange
by self write
by anonymous auth
by dn="cn=admin,dc=linux,dc=imppc,dc=org" write
by * none

access to *
by dn="cn=admin,dc=linux,dc=imppc,dc=org" write
by * read

access to *
by dn="cn=admin,dc=linux,dc=imppc,dc=org" write
by * read



This is the client rpms (fedora 14)
openldap-2.4.22-7.fc14.x86_64
openldap-devel-2.4.22-7.fc14.x86_64
openldap-2.4.22-7.fc14.i686
openldap-clients-2.4.22-7.fc14.x86_64

And the problem is this:
client_machine-bash-4.1$ passwd
Changing password for user user1.
Enter login(LDAP) password:
New password:
Retype new password:
LDAP password information update failed: Insufficient access
passwd: Authentication token manipulation error

I have to mention that I had to made some changes in order to simply be
able to query for a user. Ldapsearch worked but in order to do something
like :
id user1
or
su - user1

I had to change /etc/sysconfig/authconfig with
FORCELEGACY=yes
#FORCELEGACY=no

In this way I have been able to modify /etc/nsswitch with ldap values
when running authconfig-tui (otherwise it was only using sss and I
couldn't even be asked for the ldap password).

The point is the sss system. Without this entry (sss in nsswitch) I'm
not able to id or su, but if I don't put the ldap
keyword, I'm not even asked for the Enter login(LDAP) password:
but I'm asked for the "local" password which of course, doesn't exists,
so I get a nice "system error -4" because the system doesn't recognize it.

I don't know if I made myself clear enough, hope you can help me and I
really thank you in advance for any help you could provide.

Sincerely,
j

--
Judith Flo Gaya
Systems Administrator IMPPC
e-mail: jflo@imppc.org
Tel (+34) 93 554-3079
Fax (+34) 93 465-1472

Institut de Medicina Predictiva i Personalitzada del Cāncer
Crta Can Ruti, Camí de les Escoles s/n
08916 Badalona, Barcelona,
Spain
http://www.imppc.org
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 
Old 04-01-2011, 07:07 PM
Craig White
 
Default help with ldap

On Fri, 2011-04-01 at 17:50 +0200, Judith Flo Gaya wrote:
> Hello,
>
> I'm trying for some days to get an ldap server working, but I'm stuck
> with some issues ;( Some of them, I just worked them around, but there's
> one I can't deal with, I can get a user to change it's password in a
> client machine.
>
> This is a RHEL 6 server with
> compat-openldap-2.4.19_2.3.43-15.el6.x86_64
> openldap-devel-2.4.19-15.el6.x86_64
> openldap-2.4.19-15.el6.x86_64
> openldap-servers-2.4.19-15.el6.x86_64
> openldap-clients-2.4.19-15.el6.x86_64
>
> the slapd.conf interesting part:
> access to attrs=userPassword,shadowLastChange
> by self write
> by anonymous auth
> by dn="cn=admin,dc=linux,dc=imppc,dc=org" write
> by * none
>
> access to *
> by dn="cn=admin,dc=linux,dc=imppc,dc=org" write
> by * read
>
> access to *
> by dn="cn=admin,dc=linux,dc=imppc,dc=org" write
> by * read
>
>
>
> This is the client rpms (fedora 14)
> openldap-2.4.22-7.fc14.x86_64
> openldap-devel-2.4.22-7.fc14.x86_64
> openldap-2.4.22-7.fc14.i686
> openldap-clients-2.4.22-7.fc14.x86_64
>
> And the problem is this:
> client_machine-bash-4.1$ passwd
> Changing password for user user1.
> Enter login(LDAP) password:
> New password:
> Retype new password:
> LDAP password information update failed: Insufficient access
> passwd: Authentication token manipulation error
>
> I have to mention that I had to made some changes in order to simply be
> able to query for a user. Ldapsearch worked but in order to do something
> like :
> id user1
> or
> su - user1
>
> I had to change /etc/sysconfig/authconfig with
> FORCELEGACY=yes
> #FORCELEGACY=no
>
> In this way I have been able to modify /etc/nsswitch with ldap values
> when running authconfig-tui (otherwise it was only using sss and I
> couldn't even be asked for the ldap password).
>
> The point is the sss system. Without this entry (sss in nsswitch) I'm
> not able to id or su, but if I don't put the ldap
> keyword, I'm not even asked for the Enter login(LDAP) password:
> but I'm asked for the "local" password which of course, doesn't exists,
> so I get a nice "system error -4" because the system doesn't recognize it.
>
> I don't know if I made myself clear enough, hope you can help me and I
> really thank you in advance for any help you could provide.
----
change your ACL's on the server...

access to attrs=userPassword,shadowLastChange
by self write
by anonymous auth
by dn="cn=admin,dc=linux,dc=imppc,dc=org" write
by * none

access to *
by dn="cn=admin,dc=linux,dc=imppc,dc=org" write
by anonymous auth
by * read

Craig


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
 

Thread Tools




All times are GMT. The time now is 12:47 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright Š2007 - 2008, www.linux-archive.org