We have a Linux server farm along with some Windows machines, and I finally moved us from two parallel authentication systems (using Fedora Directory Services and Active Directory) to one -- just Active Directory. I configured LDAPS, and everything works except one thing.
I checked before deployment that I could change my password, and I still can. But I'm an admin. (Actually, I'm an engineer playing an admin on TV, but that's a story for another time.)
None of my users can change their passwords (using passwd on the Linux command line). They get the error
LDAP password information update failed: Can't contact LDAP server
00002098: SecErr: DSID-03150A45, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Running around Google doesn't give any obvious answers, but clearly there's some issue with users having rights to change their passwords via LDAPS when admins can do it. (I've checked that users have the right to change their password, of course.)
Any ideas?
Sigh. Fixed it. This link had the necessary fix buried deep in it: the standard
pam_password md5
in ldap.conf needs to be changed topam_password ad
.