[SOLVED] LDAP user's password change issue

[rusorusich]

Hallo,
I banged my head against user password change in openldap (with passwd). Surfing the web over and over i found the way to permit user to change password but with some strange behaviors. These are my ACLs in olcDatabase{2}hdb.ldif

Code: Select all

[root@centosserver ~]# grep olcAccess /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}hdb.ldif 
olcAccess: {0}to attrs=userPassword by self write by dn.base="cn=Manager,dc=example,dc=com" write by anonymous auth by * none
olcAccess: {1}to * by dn.base="cn=Manager,dc=example,dc=com" write by self write  by * read

I can correctly login to a Centos 7 ldap client but if I try to change user password, if I use a new password i get:

Code: Select all

[user1@centosclient ~]$ passwd
Changing password for user user1.
(current) LDAP Password: 
New password: 
Retype new password: 
password change failed: Invalid credentials
passwd: Authentication token manipulation error

but if I enter the old password as new one too i get

Code: Select all

[user1@centosclient ~]$ passwd
Changing password for user user1.
(current) LDAP Password: 
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

anyway in both cases the change is accepted. In the second case, the password obviously remains the same. I can't accept this compromise because when this solution will go in production, users will not know if they have changed their password or not.

Can someone help me?
Thank's

[TrevorH]

I checked mine on el6 and it has

Code: Select all

olcAccess: {1}to attrs=userPassword by self write  by * auth
olcAccess: {2}to attrs=shadowLastChange by self write  by * read

[rusorusich]

I checked mine on el6 and it has

Code: Select all

olcAccess: {1}to attrs=userPassword by self write  by * auth
olcAccess: {2}to attrs=shadowLastChange by self write  by * read

If I'm not mistaken, parameters like olcAccess are automatically numbered starting by {0} (zero), so in your example something might be.missing. It may depend of method you used to configure your ldap (ldapadd/ldapmodify or manually edit) but I'm not sure of that.

[TrevorH]

Yes, I omitted the first rule as it had nothing to do with the problem you're trying to solve.

[rusorusich]

I tried to add 'olcAccess: {1}to attrs=userPassword by self write by * auth' and 'olcAccess: {2}to attrs=shadowLastChange by self write by * read' and now
I can't change password anymore.

Code: Select all

[user1@centosclient ~]$ passwd
Changing password for user user1.
(current) LDAP Password: 
New password: 
Retype new password: 
password change failed: Insufficient access
password change failed: Insufficient access
passwd: Authentication token manipulation error

[rusorusich]

My mistake: the additional ACLs must be added to olcDatabase{2}hdb instead of olcDatabase{0}config. But now I'm at the starting point: user can change password but he get:
"password change failed: Invalid credentials
passwd: Authentication token manipulation error"

[rusorusich]

Is there anyone who can share his centos 7 openldap configuration please?

[rusorusich]

The correct ACLs are:

olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=Manager,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=example,dc=com" write by * read