I started an office and i NEED centralized login and home directories to work. Since all workstations are going to run Arch and problems with different LDAP versions I finally concluded the LDAP server also needed Arch.
I have done a completely clean install of Arch on the server and on a workstation. Both have Arch's "base" and "base-devel" package groups, NTP, OpenSSH & OpenLDAP installed, the server has nss-pam-ldapd as well. That's pretty much it right now.
- I have followed the https://wiki.archlinux.org/index.php/OpenLDAP but had to do the following things differently (and I have not set up SSL or TLS yet):
- Before I copied DB_CONFIG.example I ran updatedb, and used locate DB_CONFIG
- I had to run slaptest with -u option to supress database warnings
- After running slaptest I did chown -R ldap:ldap on /etc/openldap/slap.d
- systemctl start slapd fails, so does sudo slapd -u ldap -g ldap, but sudo slapd worked.
- After running sudo slapd i killed slapd and chown -R ldap:ldap /var/lib/openldap but systemctl start slapd still failed.
- after chown -R ldap:ldap /etc/openldap i could finally use systemctl start slapd... i assume it was the schema folder that was not able to be read by ldap when started with ldap user.
- Followed https://wiki.archlinux.org/index.php/LDAP_Authentication
- I did not start or enable nscd
- I can now log in with LDAP users on the workstation fine, and I can update the directory using my rootdn.
Problem: users cannot change password using passwd. LPAD returns:
password change failed: Insufficient access
/etc/slapd.conf (on server):
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
pidfile /run/openldap/slapd.pid
argsfile /run/openldap/slapd.args
access to attrs=userPassword
by self write
by anonymous auth
by * none
access to *
by self write
by * read
database bdb
suffix "dc=testing,dc=com"
rootdn "cn=Manager,dc=testing,dc=com"
rootpw {SSHA}ntsD5qrvHJtMflarQPhJzapiEEnqH2/L
directory /var/lib/openldap/openldap-data
index objectClass eq
index uid pres,eq
index mail pres,sub,eq
index cn pres,sub,eq
index sn pres,sub,eq
index dc eq
/etc/openldap/ldap.conf (on client):
BASE dc=testing,dc=com
URI ldap://192.168.1.50
/etc/nslcd.conf (on client):
uid nslcd
gid nslcd
uri ldap://192.168.1.50/
base dc=testing,dc=com
/etc/pam.d/system-auth (on client):
auth sufficient pam_ldap.so
auth required pam_unix.so try_first_pass nullok
auth optional pam_permit.so
auth required pam_env.so
account sufficient pam_ldap.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so
password sufficient pam_ldap.so
password required pam_unix.so try_first_pass nullok sha512 shadow
password optional pam_permit.so
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so
session optional pam_permit.so
/etc/pam.d/passwd (on client):
password sufficient pam_ldap.so
password required pam_unix.so sha512 shadow nullok
So finally, my questions:
- First off, where is the best place to read up on this kind of stuff?
- Second off, how do I debug myself? Arch uses systemd, where is the syslog for systemd based systems?
- What is the mlocate package with updatedb and locate? Do i need to use it? It is not mentioned in the archwiki, but mentioned in many other places.
- And the actual question: Why can my users not change passwords with passwd