Am Mon, 20 Jan 2014 19:48:40 -0700 schrieb Joshua Schaeffer <jschaeffer0...@gmail.com>:
> Thanks for the explanation that really helped, I didn't know about > the '+'and was able to see some ppolicy operational attributes on my > uid. I read the slapo-ppolicy manual page and that also helped > clarified a few things. You stated user's being able to change their > own password depended on access rights. These are the access rights > I have in my database. Are these correct to allow user's to change > their password: > > =================================================== > root@baneling:~# ldapsearch -Y EXTERNAL -H ldapi:/// -b > olcDatabase={1}hdb,cn=config olcAccess > SASL/EXTERNAL authentication started > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > SASL SSF: 0 > # extended LDIF > # > # LDAPv3 > # base <olcDatabase={1}hdb,cn=config> with scope subtree > # filter: (objectclass=*) > # requesting: olcAccess > # > > # {1}hdb, config > dn: olcDatabase={1}hdb,cn=config > olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by > anonymou > s auth by dn="cn=admin,dc=harmonywave,dc=com" write by * none > olcAccess: {1}to dn.base="" by * read > olcAccess: {2}to * by self write by > dn="cn=admin,dc=harmonywave,dc=com" write > by * read > > # {0}ppolicy, {1}hdb, config > dn: olcOverlay={0}ppolicy,olcDatabase={1}hdb,cn=config > > # search result > search: 2 > result: 0 Success > > # numResponses: 3 > # numEntries: 2 > =================================================== > > I've been fiddling with my setup to see if I can't get it to work. I > read that you need to tell PAM on the client server to do a lookup > for password policies using 'pam_lookup_policy yes' in the > /etc/pam_ldap.conf file. I was using libpam-ldapd instead of > libpam-ldap which doesn't use the pam_ldap.conf file for its > configuration (I shares its config file with libnss-ldapd which is > the /etc/nslcd.conf file). I uninstalled libpam-ldapd and installed > libpam-ldap instead, adjusted the config file, and I appears to be > getting a little further. Now when I try to change my password on a > client server I get the following: > > =================================================== > jschaeffer@defiler:~$ passwd > Enter login(LDAP) password: > New password: > Re-enter new password: > LDAP password information update failed: Insufficient access > Must supply old password to be changed as well as new one > passwd: Permission denied > passwd: password unchanged > =================================================== > > I'm not sure why it wouldn't recognized that I did enter my previous > password before I attempted to change it. [...] Run slapd(8) in debuging mode with -d acl -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E