LDAP users not able to change their password using passwd command
I have a basic LDAP setup without SSL configured. Users are able to login but not able to change their password using passwd command. I have gone though many blogs but no luck. I have disabled selinux and iptables.
Any help on this will be much appreciated.
Details below,
- OS: CentOS6.5
- LDAP version: openldap-servers-2.4.23-34.el6_5.1.x86_64
- Client version: openldap-clients-2.4.23-34.el6_5.1.x86_64
Output from the terminal when trying to change the password:
[servername ~]$ passwd
Changing password for user dkrishna.
Enter login(LDAP) password:
New password:
Retype new password:
LDAP password information update failed: Insufficient access
passwd: Authentication token manipulation error
Below are the logs,
==> /var/log/secure <==
Oct 8 09:31:33 passwd: pam_unix(passwd:chauthtok): user "dkrishna" does not exist in /etc/passwd
Oct 8 09:31:42 passwd: pam_unix(passwd:chauthtok): user "dkrishna" does not exist in /etc/passwd
==> /var/log/messages <==
Oct 8 09:31:42 passwd: pam_ldap: ldap_modify_s Insufficient access
ACL's configured as below,
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=admin,dc=tibbr,dc=com" read
by * none
access to attrs=userPassword
by self write
by anonymous auth
by users none
access to * by * read
Answer
I found the solution:
Add the following two lines to the end of the file: oclDatabase\=\{2\}bdb.ldif
olcAccess: {0}to attrs=userPassword by self write by dn.base="cn=Manager,dc=domain,dc=com" write by anonymous auth by * none
olcAccess: {1}to * by dn.base="cn=Manager,dc=domain,dc=com" write by self write by * read
bye