how to change password from ldap client machine on LDAP Linux Server

[tina]

Hi Dear,
I have configured ldap server on RHEL 5.2. On the client side where I also have Linux, any client is unable to change its password.
Any client can logged in with its password provided by root. but unable to change after logging.
e.g, [lclient] /home/user1 > ldappasswd -x -S user1. or simply using passwd command and ldappasswd command.

Help.....


Tina

[gauravbajaj]

Try using normal passwd command instead of ldappasswd.

Steps:
1 . Login to the cleint with username
2.passwd  { it prompt for old ldap passwd and new one }

Please note that you may get insufficient privilages or " Server is unwilling to perform" error. To get rid of this you try adding following entry on top of /etc/pam.d/passwd file and try changing the passwd again using passwd command.


/etc/pam.d/passwd
password sufficient     pam_ldap.so

[tina]

Thanks for reply....

I am using slc-4.6 on client side.just like rhel. I made entry in /etc/pam.d/sshd on client side but it did not work. Following is the problem

[lclient] /ldaphome/client1 > passwd
W: you do not appear to have a valid Kerberos5 TGT and haven't given a username
W: will try to use your current user name 'client1'.
W: if this is wrong or fails, please run "kinit" before trying to change your password
W: or
W: explicitly specify the username, like 'kpasswd username@CERN.CH'
I: New password activation may take up to 30 seconds.
 Please provide first your old/current password, then the new password twice.
/usr/kerberos/bin/kpasswd: Cannot resolve network address for KDC in requested realm getting initial ticket

My /etc/pam.d/system-auth file on client side has following entries..

auth            required          pam_env.so
auth            sufficient      pam_unix.so
auth            sufficient      pam_ldap.so likeauth nullok use_first_pass
auth            required          pam_deny.so

account  sufficient     pam_unix.so
account  sufficient     pam_ldap.so use_first_pass
account  required         pam_deny.so

password        required          pam_cracklib.so retry=3 minlen=2  dcredit=0  ucredit=0
password        sufficient      pam_unix.so nullok use_authtok md5 shadow
password        sufficient      pam_ldap.so
password        required          pam_deny.so

session  optional         pam_mkhomedir.so skel=/etc/skel/ umask=0022
session  required         pam_limits.so
session  required         pam_unix.so
session  optional         pam_ldap.so

Any suggestions...Thanks in advance

[gauravbajaj]

This is wierd. Why its asking for kerberos auth? Are you running kerberos intigrated with LDAP? It shouldn't be a case if ony ldap is running. I belive you have kereberos server too otherwise it didn't ask u TGT for kereboros

[tina]

well. I have not configured kerberos on client machine but this is happening on SLC-4.6 flavour.
After that I configured one client machine with RHEL-5.2 and now client is able to change its password.
And I have not made any changes in /etc/pam.d/system-auth or /etc/pam.d/sshd files as well.


What's the problem with SLC-4.6, Let's see....

Any suggestions......... :

[gauravbajaj]

I have naver worked with SLC. Moreover you are able to change the password once you installed  RHEL5.2 as you already have the following entry in ur pam configration file.
password        sufficient      pam_ldap.so

[tina]

Lot of thanks. I am still working on it. If I find any solution, I will post it.

[gauravbajaj]

Not sure but how you are trying to configure client? Are you doing from authconfig? Make sure to disable TLS/SSL or Kerberos authentication ..
Also check your /etc/nsswitch.conf file
Anyways , share here  once you find the sol.

[tina]

ok. SLC has customized its PATH environmental variable. When we use /usr/bin/passwd command form client side, then client is able to change its password while prompting LDAP old password.

[gauravbajaj]

Ah okay means you have to give absolute(complete)  path name rather then relative ?