LDAP user password change fails
Hello All
I am setting up an RHEL 7 system to use solaris open ldap
Authentication is now working, however users get an error when trying to change there password;
[ldapuser@testserver ~]$ passwd
Changing password for user ldapuser.
Current Password:
New password:
Retype new password:
Password change failed. Server message: Error in search for entry "oid=1.3.6.1.4.1.4203.1.11.1,cn=features,cn=config".
passwd: Authentication token manipulation error
We actually hit this issue in the past and the workaround back then was to install pam_nss_ldapd and set up entries in /etc/pam_ldap.conf and /etc/pam.d/sssdproxyldap to point to the ldap servers see;
https://access.redhat.com/solutions/69310
However this is Red Hat 7 pam_ldap.conf has now been deprecated been replaced with only sssd.conf.
Can anyone suggest another workaround?
Responses
the article at https://access.redhat.com/solutions/69310 is for the "legacy" clients. with the RHEL-7 clients, the remote LDAP server must supports the control with oid 1.3.6.1.4.1.4203.1.11.1 , as the unmaintained upstream pam_ldap was removed, and nss-pam-ldapd does not provide a solution to this scenario. if there is till a wide adoption of those legacy clients and legacy LDAP servers, should RHEL-7's SSSD try to accommodate with some secure LDAP modify operation (and proper BIND DN, and ACI?) the missing control of remote lagacy LDAP servers ? that could be a discussion in https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/ and we should open a ticket at https://pagure.io/SSSD/sssd/issues but why can't the remote LDAP server have 1.3.6.1.4.1.4203.1.11.1 support?
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.