I have set directory 389 and 1 server to be client for testing authentication of users, etc.
For installation of Directory I have used this tutorial:
Install And Configure LDAP Server In CentOS 7
For installing client I have used this tutorial: How to Install Configure LDAP Client for 389 Directory Server
Now ds-389 and client authentication works, but when I try to change password of ldap user I get some weird message:
May 20 13:40:55 server passwd: pam_unix(passwd:chauthtok): user "test" does not exist in /etc/passwd May 20 13:41:06 server passwd: pam_unix(passwd:chauthtok): user "test" does not exist in /etc/passwd May 20 13:41:06 server passwd: pam_ldap(passwd:chauthtok): password change failed: password change failed: Confidentiality required; user=test May 20 13:41:06 server passwd: gkr-pam: couldn't change password for the login keyring: the passwords didn't match. May 20 13:41:06 server passwd: gkr-pam: stopped the daemon
Does anyone know what can be the problem? my pam config looks like this:
password-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_access.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so skel=/etc/skel umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_access.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so skel=/etc/skel umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
OK, in my case I wasted one full day of playing with configuration and wireshark to find out that in order to have ability for users to change their password, you need to have on ds-389 encryption enabled, and your client needs to connect to port 636 SSL/TLS to "SECURELY" pass confidential data, in our case password. Kinda feel stupid after skipping most important part ;D
So in order for system to run properly, first we need to generate certificate on ds-389
For this, I used this short tutorial: Configure TLS SSL 389 Directory Server CentOS
Please be aware to set PIN for your ds-389 and restart services, of course... So after you have set everything on your ds-389, next step is to put client to connect to specific port. As prerequisite, you need to export crt to pem by using this command:
copy that ca-cert.pem to your (client) for example from home folder where you scp ca-cert.pem (or wherever you copied that file)
And as a final step use authconfig-tui to set your client to use TLS instead of 389 port with plain text...
You can follow these steps from this link: How to Install Configure LDAP Client for 389 Directory Server
I hope that I helped someone to save some time and torture of Google-ing around ;) Cheers.