I am trying to allow ldap users to change their password on client machines. I have tried pam every which way I can think of /etc/ldap.conf & /etc/pam_ldap.conf, as well. At this point I'm stuck.

Client: Ubuntu 11.04
Server: Debian 6.0

The current output is this:

sobrien4@T-E700F-1:~$ passwd
passwd: Authentication service cannot retrieve authentication info
passwd: password unchanged

/var/log/auth.log gives this during the command:

May  9 10:49:06 T-E700F-1 passwd[18515]: pam_unix(passwd:chauthtok): user "sobrien4"  does not exist in /etc/passwd
May  9 10:49:06 T-E700F-1 passwd[18515]: pam_ldap: ldap_simple_bind Can't contact LDAP server
May  9 10:49:06 T-E700F-1 passwd[18515]: pam_ldap: reconnecting to LDAP server...
May  9 10:49:06 T-E700F-1 passwd[18515]: pam_ldap: ldap_simple_bind Can't contact LDAP server

getent passwd |grep sobrien4 (note keeping short since testing with that account, however it outputs all ldap users):

sobrien4:Ffm1oHzwnLz0U:10000:12001:Sean O'Brien:/home/sobrien4:/bin/bash 

getent group shows all ldap groups.

/etc/pam.d/common-password (Note this is just the most current, I have tried a lot of different options):

password   required   pam_cracklib.so retry=3 minlen=8 difok=3
password   [success=1 default=ignore] pam_unix.so use_authtok md5
password   required   pam_ldap.so use_authtok
password   required   pam_permit.so

Popped open wireshark as well, the server & client are talking.

I have the password changing working on the server. I.E. the server that runs slapd, I can log in with the ldap user and change the passwords. I tried copying the working configs from the server initially and no dice.

I also tried cloning it, and just changing ip & host, and no go. My guess is that the client is not authorized by ip or hostname to change a pass.

Pertaining to the slapd conf, I saw this in a guide and tried it:

access to attrs=loginShell,gecos
      by dn="cn=admin,dc=cengineering,dc=etb" write
      by self write
      by * read

access to *
          by dn="cn=admin,dc=cengineering,dc=etb" write
      by self write
      by * read

So ldap seems to be working okay, just can't change the password.

Scott Pack
  • 14,717
  • 10
  • 51
  • 83
  • 71
  • 1
  • 2

3 Answers3


I think you need to allow auth-bind'ing for it to work. By this, I mean the user connects to the ldap (or pam proxies) and presents his/her credentials. If the ldap server likes what it sees, the authbind succeeds and PAM knows thay your user/pass pair is correct. Please see the example in zytrax's book

Adjust your ACL to have a section similar to

# ACL1
access to attrs=userpassword
       by self       write
       by anonymous  auth
       by group.exact="cn=itpeople,ou=groups,dc=example,dc=com"    write
       by *          none
  • 342
  • 1
  • 6

I've experienced this exact same problem before; in order to resolve this, I needed to remove use_authtok - this allowed us to then change user's passwords using passwd ... I'm not sure what repercussions this would have if your authentication chain requires tokens, but this should do the trick if you only auth via LDAP

  • 484
  • 2
  • 9
  • There are various bug reports relating to this, and it has nothing to do with the slapd setup. This is the report with the most recent activity: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=588434 – HonoredMule Dec 16 '16 at 02:40

I'm using the following configuration for PAM passwd support:

password    requisite      pam_cracklib.so try_first_pass retry=3  
password    sufficient     pam_ldap.so try_first_pass use_authtok  
password    sufficient     pam_unix.so sha512 shadow nullok use_authtok try_first_pass  
password    required       pam_deny.so

Also remember that ACLs should be configured from most specific to least specific, because the first matching entry wins. Mine looks like this:

access to attrs=userPassword
    by dn="cn=admin,dc=hell" write
    by set="[cn=admins,ou=access groups,ou=groups,dc=hell]/memberUid & user/uid" write
    by anonymous auth
    by self write
    by * none

(BTW, I'd rather recommend original OpenLDAP administration guide than the Zytrax book; the book uses the guide as a source anyway, but frequently introduces errors while it strays away from the original text.)

  • 124
  • 5