Tried to do the above with this tutorial:
https://www.unixguide.net/content/openldap-allow-users-change-their-password-unix-passwd-command
So I created this ldif:
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to attrs=userPassword by self write by anonymous auth by dn.base="cn=ldapadm,dc=bbb,dc=local" write by * none
add: olcAccess
olcAccess: to * by self write by dn.base="cn=ldapadm,dc=bbb,dc=local" write by * read
Ran the ldapmodify, now no user can log into any client with their password when they could before I ran the above modify.
now attempting to login says permission denied after correct password is entered....what did I break ?? (totally new to openldap)
And as it might be relevant this is how I got my clients connected to my openldap server:
yum install -y openldap-clients nss-pam-ldapd
authconfig --enableldap --enableldapauth --ldapserver=192.168.1.10 --ldapbasedn="dc=bbb,dc=local" --enablemkhomedir --update
Out of the box, if I type passwd on an ldap user...the resulting happens:
[ldapuser@sdss5-db ~]$ passwd
Changing password for user ldapuser.
(current) LDAP Password:
New password:
Retype new password:
password change failed: Insufficient access
passwd: Authentication token manipulation error
Though again that ldif file above with the olcAccess broke my ldap didn't make anything work (had to revert the VM back to before I ran that command..mostly because I am new to ldap and don't know how to remove items etc)
Here are all my cn=config files:
olcDatabase={-1}frontend.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 daf543d1
dn: olcDatabase={-1}frontend
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
structuralObjectClass: olcDatabaseConfig
entryUUID: 1244881e-5cf7-103b-94a5-5f5943b4315f
creatorsName: cn=config
createTimestamp: 20210608224613Z
entryCSN: 20210608224613.408737Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20210608224613Z
olcDatabase={0}config.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 54d58ed2
dn: olcDatabase={0}config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" manage by * none
structuralObjectClass: olcDatabaseConfig
entryUUID: 12448a9e-5cf7-103b-94a6-5f5943b4315f
creatorsName: cn=config
createTimestamp: 20210608224613Z
entryCSN: 20210608224613.408801Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20210608224613Z
olcDatabase={1}monitor.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 3165478b
dn: olcDatabase={1}monitor
objectClass: olcDatabaseConfig
olcDatabase: {1}monitor
structuralObjectClass: olcDatabaseConfig
entryUUID: 12448d32-5cf7-103b-94a7-5f5943b4315f
creatorsName: cn=config
createTimestamp: 20210608224613Z
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al, cn=auth" read by dn.base="cn=ldapadm,dc=bbb,dc=local" read by * none
entryCSN: 20210608225001.645649Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20210608225001Z
olcDatabase={2}hdb.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 89413e34
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 1244907a-5cf7-103b-94a8-5f5943b4315f
creatorsName: cn=config
createTimestamp: 20210608224613Z
olcSuffix: dc=bbb,dc=local
olcRootDN: cn=ldapadm,dc=bbb,dc=local
olcRootPW:: e1NTSEF9QTB0dS94UjR6cy83ZEMvQUxPL21uS2RLaXZUeFNXVEg=
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by dn.ba
se="cn=ldapadm,dc=bbb,dc=local" write by * none
entryCSN: 20210702202550.687485Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20210702202550Z
It seems it is not writing the second portion of:
add: olcAccess
olcAccess: to * by self write by dn.base="cn=ldapadm,dc=unixguide,dc=net" write by * read
To the olcDatabase={2}hdb.ldif , as going by the example it has olcAccess: {1}to * by self write by dn.base="cn=ldapadm,dc=unixguide,dc=net" write by * read
I am guessing this is what is not working and nuking the ability to login after I run the command. I am not sure why it is not showing up though as I get no errors when I run the modify command with my ldif posted above...
The result from the ldap modify is this:
[root@openldapserver ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f passwordaccess.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
In
dn: olcDatabase={2}hdb,cn=config
you specify which rule to replace/add. My system has password access rules indn: olcDatabase={-1}frontend
.Make sure to target the correct rule.