Anyone? Siddharth Choure Senior Systems Engineer
On 11/22/13, 4:15 PM, "Choure, Sidd" <[email protected]> wrote: >Everything is setup on RHEL 6.4 with Openldap 2.4. > >I have one provider and one consumer. StartTLS has been enabled and >everything is working as intended. My only problem arises here - >When a user is setup with a password and he tries to change his password >on a consumer pointing client, I get a passwd: Authentication token >manipulation error. This message is misleading since the password is in >fact changed on the provider ( I have the olcUpdateRef directive setup). >This creates a situation where the user can login to consumer pointed >boxes with his old password and provider pointed boxes with his new >password. If the user tries to change his password for the second time on >consumer pointed boxes, I get Password change failed. Server message: >unwilling to verify old password passwd: Authentication token >manipulation error which understandably is because the password in the >actual LDAP db is different from what is being supplied and being >accepted by the client. What is going on here? Why isn¹t the password not >getting updated properly in the consumer? > >Here are some of the relevant snippets of configs - >For Syncrepl in olcDatabase={2}bdb.ldif on consumer > > >###For Replication > >olcSyncrepl: rid=100 > > provider="ldap://server.com > > type=refreshAndPersist > > retry="60 30 300 +" > > searchbase=³dc=ex,dc=example,dc=com" > > bindmethod=simple > > binddn="cn=Manager,dc=ex,dc=example,dc=com" > > credentials=secret > > starttls=yes > > tls_cacert=/etc/pki/CA/cacert.pem > > tls_cert=/etc/pki/tls/certs/cert.pem > > tls_key=/etc/pki/tls/certs/key.pem > >olcUpdateRef: ldap://server.com > > >ACL on provider - > >lcAccess: to attrs=userPassword > > by self write > > by dn.base="cn=Manager,dc=ex,dc=example,dc=com" write > > by anonymous auth > > by * none > >olcAccess: to * > > by self write > > by dn.base="cn=Manager,dc=ex,dc=example,dc=com" write > > by users read > >olcAccess: to attrs=entry > > by dn.base="cn=Manager,dc=ex,dc=example,dc=com" write > > by * read > > > >Let me know if any more configs are needed and I will post them. Any help >is appreciated. > >Siddharth Choure >Senior Systems Engineer > > > >
