To troubleshoot I re-setup the ldap connection on a VM. That VM happened to be centos6, and when I tried the passwd change there it worked fine.
I paid better attention to detail and realized that the troublesome machine was centos7. I set up another VM and made the same ldap connection:
Code: Select all
yum install -y openldap-clients nss-pam-ldapd
authconfig --enableforcelegacy --update
authconfig --enableldap --enableldapauth --ldapserver="ldap1.my.domain.com,ldap2.my.domain.com" --ldapbasedn="dc=my,dc=domain,dc=com" --update
Code: Select all
[root@seven ~]# su myusername
[myusername@seven /root]$ passwd
Changing password for user myusername.
(current) LDAP Password:
New password:
Retype new password:
password change failed: Protocol error
passwd: Authentication token manipulation error
[myusername@seven /root]$
centos7 uses an extendedReq named 1.3.6.1.4.1.4203.1.11.1 (passwdModifyOID) while centos6 does two "normal" modifyRequest to update the hash and last changed date separately.
The centos7 query seem to send the password in cleartext while the centos6 seem to send only the hash ({crypt}abcabcbabcsomething).
The ldap servers are, as you might've guessed if you've read this far, about as old as time.
Is there any way I can encourage centos7 to do password changes without relying on the passwdModify extended request?