2

我有一个没有配置 SSL 的基本 LDAP 设置。用户可以使用 passwd 命令登录,但不能更改密码。我浏览了很多博客,但没有运气。我禁用了 selinux 和 iptables。

对此的任何帮助将不胜感激。

详情如下,

  • 操作系统:CentOS6.5
  • LDAP 版本:openldap-servers-2.4.23-34.el6_5.1.x86_64
  • 客户端版本:openldap-clients-2.4.23-34.el6_5.1.x86_64

尝试更改密码时从终端输出:

[servername ~]$ passwd
Changing password for user dkrishna.
Enter login(LDAP) password:
New password:
Retype new password:
LDAP password information update failed: Insufficient access
passwd: Authentication token manipulation error

以下是日志,

==> /var/log/secure <==

Oct  8 09:31:33  passwd: pam_unix(passwd:chauthtok): user "dkrishna" does not exist in /etc/passwd
Oct  8 09:31:42  passwd: pam_unix(passwd:chauthtok): user "dkrishna" does not exist in /etc/passwd

==> /var/log/messages <==

Oct  8 09:31:42  passwd: pam_ldap: ldap_modify_s Insufficient access

ACL 的配置如下,

database config
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
        by * none

database monitor
access to *
        by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
        by dn.exact="cn=admin,dc=tibbr,dc=com" read
        by * none

access to attrs=userPassword
        by self write
        by anonymous auth
        by users none

access to * by * read
4

2 回答 2

3

我找到了解决方案:

将以下两行添加到文件末尾:oclDatabase\=\{2\}bdb.ldif

olcAccess: {0}to attrs=userPassword by self write by dn.base="cn=Manager,dc=domain,dc=com" write by anonymous auth by * none

olcAccess: {1}to * by dn.base="cn=Manager,dc=domain,dc=com" write by self write by * read

再见

于 2014-10-28T11:22:19.703 回答
0

配置 OCL 数据库时,似乎不推荐使用 slapd.conf。

观察 OCL 配置指南中的以下片段:“从运行转换开始,slapd.conf 文件是多余的。加载 slapd 时会查找配置目录(默认 slapd.d)并从那里读取其配置文件并初始化OLC (cn=config) DIT。如果找不到 slapd.d 目录,则 slapd 会查找 slapd.conf。

于 2015-12-01T00:09:49.810 回答