Passwd troubles with OpenLDAP on FreeBSD 5/6

Juergen Dankoweit Juergen.Dankoweit at T-Online.de
Fri Oct 6 12:31:06 PDT 2006 

Hello to the list.

Since two weeks I try to find out what's going on in my LDAP
installation (I've looked/postet in forums and the whole internet,
nobody didn't know anything).

Changing the password with passwd (I have modified passwd.c to work with
LDAP, see attachment) throws out the following message:
"Enter login(LDAP) password:"
If I enter there the LDAP password which is set in the slapd.conf then
the prompt message is repeated. If I enter the password of the logged in
user, then I get an error: "permission denied".
When I change the password with
>>ldappasswd -W -S -D "cn=Manager,dc=juergendankoweit,dc=net"
"uid=<UserID>,ou=Users,dc=juergendankoweit,dc=net"<< everything is OK.

Logging in with that user data is no problem, that works very good.

As you can see in the attached files there are no restrictions set
(access to * by * write), there is no TLS or SASL.

(+) Installed packages n the Client (FreeBSD 6.1):
    nss_ldap-1.244, pam_ldap-1.8.0, openldap-client-2.2.30
    (as dependency of the both first)
(+) On the server (FreeBSD 5.4):
    openldap-server-2.2.30

Many thanks in advance for helping.

Best regards

Jürgen

PS: /usr/local/etc/ldap.conf and /usr/local/etc/openldap/ldap.conf are
the same and ldap.secret contains the same password (here in clear text)
as in slapd.conf on the server.
PPS: Sorry for the long posting, but I don't know where to do what...

-- 
This e-mail was scanned with a private,
non-commercial version of AntiVir MailGate.
See http://www.antivir.de for details.
-------------- next part --------------
#
# $FreeBSD: src/etc/pam.d/system,v 1.1 2003/06/14 12:35:05 des Exp $
#
# System-wide defaults
#

# auth
auth		sufficient	pam_opie.so		no_warn no_fake_prompts
auth		requisite	pam_opieaccess.so	no_warn allow_local
#auth		sufficient	pam_krb5.so		no_warn try_first_pass
#auth		sufficient	pam_ssh.so		no_warn try_first_pass
auth		sufficient	/usr/local/lib/pam_ldap.so no_warn try_first_pass config=/usr/local/etc/pam_ldap.conf
auth		required	pam_unix.so		no_warn try_first_pass nullok

# account
#account 	required	pam_krb5.so
account		sufficient	/usr/local/lib/pam_ldap.so config=/usr/local/etc/pam_ldap.conf
account		required	pam_login_access.so
account		required	pam_unix.so

# session
#session 	optional	pam_ssh.so
session		required	/usr/local/lib/pam_mkhomedir.so
session		required	pam_lastlog.so		no_fail

# password
#password	sufficient	pam_krb5.so		no_warn try_first_pass
password	sufficient	/usr/local/lib/pam_ldap.so no_warn try_first_pass config=/usr/local/etc/pam_ldap.conf
password	required	pam_unix.so		no_warn try_first_pass
-------------- next part --------------
# /usr/local/etc/openldap/slapd.conf
# erstellt: 23.02.2006
#
# =====================================================================
include /usr/local/etc/openldap/schema/core.schema
# include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema

# fuer Evolution
# ---------------------------------------------------------------------
include /usr/X11R6/share/gnome/evolution-data-server-1.4/evolutionperson.schema

# Zugriffsrechte
# ---------------------------------------------------------------------
# access to attr=userPassword
#	by dn="cn=Manager,dc=juergendankoweit,dc=net" write
#	by self write
#	by * none

access to * by * write

allow bind_v2

# PID und ARGS-File
# ---------------------------------------------------------------------
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args

# Datenbankberechtigungen und -Konfiguration
# ---------------------------------------------------------------------
database ldbm
directory /database/openldap-data

# Basisdatenbank
# ---------------------------------------------------------------------
suffix "dc=juergendankoweit,dc=net"
rootdn "cn=Manager,dc=juergendankoweit,dc=net"
# Passwort: #######
rootpw {CRYPT}passwort

# Indezierregel fuer Objektklassen
# ---------------------------------------------------------------------
index objectClass eq

TLSVerifyClient never

# Debugging
# ---------------------------------------------------------------------
# loglevel 128
-------------- next part --------------
#
# $FreeBSD: src/etc/pam.d/passwd,v 1.3 2003/04/24 12:22:42 des Exp $
#
# PAM configuration for the "passwd" service
#

# passwd(1) does not use the auth, account or session services.

# password
#password	requisite	pam_passwdqc.so		enforce=users
password	sufficient	/usr/local/lib/pam_ldap.so no_warn try_first_pass config=/usr/local/etc/pam_ldap.conf
password	required	pam_unix.so		no_warn try_first_pass nullok
-------------- next part --------------
uri ldap://192.168.1.1:389
base dc=juergendankoweit,dc=net
rootbinddn cn=Manager,dc=juergendankoweit,dc=net

ldap_version 3

ssl off
bind_timelimit 10
# bind_policy soft
pam_password crypt
pam_filter objectclass=posixAccount
pam_login_attribute uid
# pam_member_attribute memberUid

scope sub

# Debugging
# debug 256
# logdir /var/log

-------------- next part --------------
uri ldap://192.168.1.1:389
base dc=juergendankoweit,dc=net
rootbinddn cn=Manager,dc=juergendankoweit,dc=net

ldap_version 3

ssl off
bind_timelimit 10
# bind_policy soft

scope sub

nss_base_passwd ou=Users,dc=juergendankoweit,dc=net?one
# nss_base_shadow ou=Users,dc=juergendankoweit,dc=net?one
nss_base_group ou=Groups,dc=juergendankoweit,dc=net?one

# Debugging
# debug 256
# logdir /var/log

-------------- next part --------------
uri ldap://192.168.1.1:389
base dc=juergendankoweit,dc=net

More information about the freebsd-net mailing list