So my users weren’t able to use the passwd command after I implemented LDAP auth on a specific client.
Here’s a quick fix to /etc/pam.d/common-password
password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass
Needs to become…..
password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass
Basically, removing the use*authtok enables the try*first*pass to successfully get processed (i believe, more) *and therefore the passwd command can then properly check the first password you type unlike the error users got before:
$ passwd Enter login(LDAP) password: passwd: Authentication information cannot be recovered passwd: password unchanged