[ale] LDAP Experts

Allgood, John jallgood at ohl.com
Thu Jun 24 09:00:09 EDT 2010 

Yeah the posix schemas are loaded and I have my ACLs working. I changed my /etc/ldap.conf and set pam_password to exop. Everything work find with changing the password using passwd but now password history and check_password that was borrowed from the ltb-project is not working. I think it has something to do with the format the passwords are stored in. Thanks for the input.

John Allgood
Senior Systems Administrator
OHL Transportation Services
2251 Jesse Jewell Pky. NE
Gainesville, GA 30507
tel: (678) 989-3051  fax: (770) 531-7878

jallgood at ohl.com<mailto:jallgood at ohl.com>
www.ohl.com<http://www.ohl.com>

From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of Jerald Sheets
Sent: Wednesday, June 23, 2010 11:27 AM
To: Atlanta Linux Enthusiasts - Yes! We run Linux!
Subject: Re: [ale] LDAP Experts


On Wed, Jun 23, 2010 at 11:05 AM, Allgood, John <jallgood at ohl.com<mailto:jallgood at ohl.com>> wrote:
Hey Guys

Anyone here using ldap? I have built openldap 2.4.21 on Centos 5.5 and have setup ppolicy and smbk5.

openldap 2.3.27-8.el5_1.3 over RHEL 5.2 with no ppolicy or smbk5

Everything works fine when using ldappasswd to set the password. When I force a pwdReset the system forces me to use the passwd program which does not update everything in ldap correctly nor adhere to my ppolicy.

Did you load the POSIX schemas?
Does your slapd credentials stuff look sorta like this:

##################################
#
# Grant access to Change Password
#
##################################

access to attrs=userPassword
   by self write
   by anonymous auth
   by dn.base="cn=admin,,dc=your,dc=domain" write
   by * none

access to *
   by self write
   by dn.base="cn=admin,dc=your,dc=domain" write
   by * read


have you tried using something like Apache's Directory Studio to do password changes instead?  Most of my management gets done through there.

I assume it is something in /etc/pam.d/system-auth but not much familiar with pam. I thought about creating a script and linking the passwd program to that script but not sure how that would behave when forced to change the password via GDM.

 The only thing I use in system-auth is

session     required     pam_mkhomedir.so

to automagically create user directories on first login.  Everything else is DIST.

Sorry if the issues are being introduced through the ppolicy or smbk5, as I have no help for you there.


--jms

______________________________________________________

This e-mail transmission may contain information that is proprietary, privileged and/or confidential and is intended exclusively for the person(s) to whom it is addressed. Any use, copying, retention or disclosure by any person other than the intended recipient or the intended recipient's designees is strictly prohibited. If you are not the intended recipient or their designee, please notify the sender immediately by return e-mail and delete all copies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20100624/aa453b1d/attachment-0001.html

More information about the Ale mailing list