Answer: you cannot change password using passwd, as sssd doesn't support such feature. There might be change to sss_ldap.so to prompt for ldap admin DN and password, but ldapasswd and kpasswd are considered sufficient tools.
For more info see this thread: https://lists.fedoraproject.org/pipermail/users/2013-July/438605.html. On 22 July 2013 22:08, Augustin Wolf <[email protected]> wrote: > On 22 July 2013 18:14, Michael Proto <[email protected]> wrote: >> I believe you can use the rootbinddn feature in pam_ldap.conf to allow the > rootbinddn is set in pam_ldap.conf and sadly it doesn't work. > I got it set to LDAP admin DN (the same as rootdn in slapd.conf). This > user has more privilages (manage permission to all LDAP attributes)> > > On 22 July 2013 14:57, Cooper, Tom <[email protected]> wrote: >> Root has to use ldappasswd to change users' passwords. > I head to integrate user database with Kerberos. I'm guessing that > ldappaswd doesn't support Kerberos attributes. Does root have to > change password with use of two systems: one for ldap another for > Kerberos? > Does root really has to do double work to change all tokens? Without > it there might be passwords mismatch. Different password for Kerberos > and different for LDAP. > >> -Michael Proto > > > In my struggle with this issue, I noticed, that when I add to > /etc/sssd/sssd.conf : > ldap_sasl_mech = GSSAPI > ldap_sasl_authid = root/admin > ldap_sasl_realm = EXAMPLE.COM > the error message is different: > [root@ldap ~]# passwd test > Changing password for user test. > System is offline, password change not possible > passwd: Authentication token manipulation error > ==> /var/log/secure <== > Jun 25 16:27:35 ldap passwd: pam_sss(passwd:chauthtok): Authentication > failed for user test: 20 (Authentication token manipulation error) > > thx for reply guys. >>> My configs, logs, etc are in here: http://fpaste.org/26708/
