I'm trying to enable linux hosts to authenticate against an active directory server using port 389 and tls. I seem to have that much working, but the users cannot change their passwords via passwd.
I was on the assumption that during a passwd change it'd bind with the username and old password rather than the binddn/bindpw in ldap.conf, but i may be wrong. If that's the case, how to i get it working, because the test\ldap domain user does not have permissions to change other user's passwords, and i don't want to give it that permission as this config file will be on every client.
This is on rhel5 (and if i get it working, rhel4 also)
Here's my config files on the client:
/etc/hosts 127.0.0.1 localhost 192.168.0.2 TESTSRV.TEST.COM TESTSRV 192.168.0.1 WIN-JERS4CCKFGM.TEST.COM WIN-JERS4CCKFGM
/etc/ldap.conf
debug 0uri ldap://WIN-JERS4CCKFGM.TEST.COM/ base cn=Users,dc=test,dc=com ldap_version 3
binddn TEST\ldap bindpw Pwldap1 bind_policy soft
scope sub timelimit 30
nss_base_passwd cn=Users,dc=test,dc=com?one nss_base_shadow cn=Users,dc=test,dc=com?one nss_base_group cn=Users,dc=test,dc=com?sub nss_schema rfc2307bis nss_map_objectclass posixAccount User nss_map_objectclass shadowAccount User nss_map_objectclass posixGroup group nss_map_attribute uniqueMember member nss_map_attribute homeDirectory UnixHomeDirectory nss_map_attribute gecos name nss_map_attribute ou description
/etc/nsswitch.conf
passwd: files ldap shadow: files ldap group: files ldap
hosts: files dnsethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files ldap automount: files ldap aliases: files
/etc/pam.d/system-auth
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.soaccount required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so
password requisite pam_cracklib.so retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so
/etc/pam.d/passwd just has the usual 3 include system-auth lines in it.
Are you using Kerberos or Samba winbind at all? Or are you just trying straight LDAP?
If the latter, your /etc/ldap.conf file should have a series of 'pam_*' parameters that seem to be missing. In particular 'pam_password ad' is necessary to specify ADSI as the password change protocol. You may also need 'pam_login_attribute sAMAccountName' (+ others)
Personally I've always just bound the Linux machine using winbind, then changing passwords is as done with 'net ads password'