This is my setup: Server: Openldap 2.4.39 installed on RHEL7 Ldap clients: RHEL7 and RHEL5
I set up this directive on the ldap clients (/etc/sssd/sssd.conf) to prevent users with expired accounts to login: ldap_pwd_policy = shadow. This works as expected. Now I need to allow users to reset their ldap password after logging in to an ldap client. This is what is logged when a user attempts to reset their password using passwd: rhel7 ldap client: # passwd Changing password for user real Current password: New password: Retype new password: passwd: Authentication token manipulation error rhel7 ldap server: /var/log/secure pam_unix(passwd:chauthtok): user “real” does not exist in the /etc/passwd pam_sss(passwd:chauthtok): Password change failed for user real: 28 (Module is unknown) Gkr-pam: couldn’t update the login keyring password: no old password was Entered In an attempt to allow users to change their ldap password, i edited my ACL on the ldap server and added 'shadowLastChange': dn: olcDatabase={2}hdb,cn=config add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn.base="cn=Alien,dc=cluster,dc=sec312" write by anonymous auth by * none olcAccess: {1}to * by self write by dn.base="cn=Alien,dc=cluster,dc=sec312" write by * read However that did not work, on the ldap clients I get this on the logs: pam_unix(sshd:auth): authentication failure pam_sss(sshd:auth): authentication failure pam_sss(sshd:auth): received for user reaL 4 (System error) This is the /etc/pam.d/system-auth file on the rhel7 ldap client: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 authtok_type= password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so ~ What other directive do I need to set to allow users to reset their ldap password when they call passwd? Thank you, Liz