I should add - If I place an entry in /etc/shadow, authentication works, but that's what I'm trying to avoid.
I've setup the LDAP schema such that I should not need to depend on the local passwd/shadow files. The LDIF of a typical user is... dn: uid=nima,ou=human,dc=world *objectClass: authorizedServiceObject objectClass: hostObject objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: top* cn: Nima Talebi gidNumber: 10000 homeDirectory: /home/nima sn: Talebi uid: nima uidNumber: 10413 *authorizedService: login authorizedService: passwd authorizedService: sshd authorizedService: su authorizedService: sudo* givenName: Nima *host: darius host: smerdis* loginShell: /bin/tcsh mail: [email protected] *shadowLastChange: 0 shadowMax: 0 shadowWarning: 0 userPassword:: <hashed-passwd>* On Thu, Dec 10, 2009 at 11:29 PM, Nima Talebi <[email protected]> wrote: > Hi Daniel, > > Thanks for getting back to me so fast! > > Well, even if that's the case - I don't mind, but here's a little more > depth into the problem... > > I can bind to the LDAP server as a user, and have that user issue a change > of password for themselves - and that works fine. > > I can do the same via the admin user too of course. > > Regardless of how I change the password, I still get: > > % ssh darius > You are required to change your LDAP password immediately. > Connection closed by 10.211.55.3 > % > > Nima > > > > On Thu, Dec 10, 2009 at 11:25 PM, Daniel Pittman <[email protected]>wrote: > >> Nima Talebi <[email protected]> writes: >> >> > Following recommendations on IRC, I'm posting my 2-day problem here so a >> > genius can guide me to salvation.... >> >> Do you want the good news, or the bad news? >> >> The good news is that you have not done anything wrong. >> >> The bad news is that OpenSSH does not support changing passwords through >> PAM, >> so you are required to change your password some other way, at which point >> you >> will again be able to authenticate via ssh. >> >> (IIRC, this might actually be a limitation of the SSH protocol, but either >> way >> you can't do this. Sorry.) >> >> Daniel >> -- >> ✣ Daniel Pittman ✉ [email protected] ☎ +61 401 >> 155 707 >> ♽ made with 100 percent post-consumer electrons >> -- >> SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ >> Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html >> > > > > -- > Nima Talebi > web: http://ai.autonomy.net.au/People/Nima > gpg: B51D 1F18 D8E2 B702 B027 23A4 E06B DAC1 BE70 ADC0 > -- Nima Talebi web: http://ai.autonomy.net.au/People/Nima gpg: B51D 1F18 D8E2 B702 B027 23A4 E06B DAC1 BE70 ADC0 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
