lists.arthurdejong.org
RSS feed

R: R: pwdReset problem in CentOS 7

[Date Prev][Date Next] [Thread Prev][Thread Next]

R: R: pwdReset problem in CentOS 7



> -----Messaggio originale-----
> Da: Luigi Iotti <luigi@iotti.biz>
> Inviato: domenica 13 gennaio 2019 23:31
> A: 'Arthur de Jong' <arthur@arthurdejong.org>; 'nss-pam-ldapd-
> users@lists.arthurdejong.org' <nss-pam-ldapd-
> users@lists.arthurdejong.org>
> Oggetto: R: R: pwdReset problem in CentOS 7
> 
> > > nslcd: [e45d32] <authc="lux"> DEBUG:
> > > ldap_sasl_bind("uid=lux,ou=Tecnici,ou=People,dc=test,dc=it","***")
> > > (uri="ldap://127.0.0.1/";) (ppolicy=yes)
> > > nslcd: [e45d32] <authc="lux"> DEBUG: got
> > > LDAP_CONTROL_PASSWORDPOLICYRESPONSE (Password must be
> > changed)
> > > nslcd: [e45d32] <authc="lux"> DEBUG:
> > > myldap_search(base="uid=lux,ou=Tecnici,ou=People,dc=test,dc=it",
> > > filter="(objectClass=*)")
> > > nslcd: [e45d32] <authc="lux"> ldap_result() failed: Insufficient
> > > access: Operations are restricted to
> > > bind/unbind/abandon/StartTLS/modify password
> >
> > The problem here may be that the policy does not provide any grace
> > logins left but I'm not 100% sure. It could be that the PAM stack does
> > not provide the correct answers. To get more information add the debug
> > option to the pam_ldap.so lines in your PAM stack (at least for auth and
> account parts).
> 
> Hi Arthur,
> 
> the problem vanished. The only thing I did was to replace the nslcd binary
> with one I recompiled wirh debug messages wide spread. I'm sorry, if/when I
> find the real thig that did correct the problem, I'll post about it here.
> Disappointing, but I double checked all the configs involved.
> Now I have another little problem I write in a separate message.

I found what I forgot I did among various tests, which solved the problem. Too 
bad my memory is so exhausted. So for future reference, and for googlers:
To handle pwdReset on CentOS7, I upgraded nss-pam-ldapd to the current version, 
0.9.10, then ran authconfig to configure it (authconfig --enableldap 
--enableldapauth --ldapserver=ip.ad.dr.es --ldapbasedn="dc=test,dc=it" 
--enablemkhomedir --updateall) then added to nslcd.conf pam_authc_search NONE. 
This last step was needed in this setup, and was the one I  did not remember. 
But now it works:)

Thank you again.

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/