How to allow LDAP user to change password?
in the slapd.conf write access control rule
access to attrs=userPassword
by self =xw
But you should be aware that specific rules are to be written first and general rule at the end.
for example following rule has to be written at the end.
access to * by * read
for more information visit: http://www.openldap.org/doc/admin24/access-control.html
MORE INFO
slapd.conf is generally located in
/etc/openldap or
/etc/ldap/ or
/usr/local/etc/openldap/ or
/usr/local/etc/ldap/
There are some changes in newer versions of ldap where slapd.conf is supported but by default the data is stored in slapd.d directory. if you put your custom slapd.conf there, the process will read slapd.conf instead of slapd.d directory
Things to notice
- sometimes slapd.conf is present in both local as well as global path try changing both
- delete slapd.d direcotry as it is default to make slapd.conf work
I found the solution on http://ubuntuforums.org/showthread.php?t=1640070
At /etc/pam.d/common-password
#
# /etc/pam.d/common-password - password-related modules common to all services
# -- removed comment header talking about various options --
# here are the per-package modules (the "Primary" block)
password [success=2 default=ignore] pam_unix.so obscure sha512
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
password optional pam_gnome_keyring.so
# end of pam-auth-update config
Try removing the use_authtok parameter and save the file. You may need to restart.
-Tim
It works! Tee hee