Everything is setup on RHEL 6.4 with Openldap 2.4.
I have one provider and one consumer. StartTLS has been enabled and everything
is working as intended. My only problem arises here -
When a user is setup with a password and he tries to change his password on a
consumer pointing client, I get a passwd: Authentication token manipulation
error. This message is misleading since the password is in fact changed on the
provider ( I have the olcUpdateRef directive setup). This creates a situation
where the user can login to consumer pointed boxes with his old password and
provider pointed boxes with his new password. If the user tries to change his
password for the second time on consumer pointed boxes, I get Password change
failed. Server message: unwilling to verify old password passwd: Authentication
token manipulation error which understandably is because the password in the
actual LDAP db is different from what is being supplied and being accepted by
the client. What is going on here? Why isn’t the password not getting updated
properly in the consumer?
Here are some of the relevant snippets of configs -
For Syncrepl in olcDatabase={2}bdb.ldif on consumer
###For Replication
olcSyncrepl: rid=100
provider="ldap://server.com
type=refreshAndPersist
retry="60 30 300 +"
searchbase=“dc=ex,dc=example,dc=com"
bindmethod=simple
binddn="cn=Manager,dc=ex,dc=example,dc=com"
credentials=secret
starttls=yes
tls_cacert=/etc/pki/CA/cacert.pem
tls_cert=/etc/pki/tls/certs/cert.pem
tls_key=/etc/pki/tls/certs/key.pem
olcUpdateRef: ldap://server.com
ACL on provider -
lcAccess: to attrs=userPassword
by self write
by dn.base="cn=Manager,dc=ex,dc=example,dc=com" write
by anonymous auth
by * none
olcAccess: to *
by self write
by dn.base="cn=Manager,dc=ex,dc=example,dc=com" write
by users read
olcAccess: to attrs=entry
by dn.base="cn=Manager,dc=ex,dc=example,dc=com" write
by * read
Let me know if any more configs are needed and I will post them. Any help is
appreciated.
Siddharth Choure
Senior Systems Engineer
