So my users weren’t able to use the passwd command after I implemented LDAP auth on a specific client.

Here’s a quick fix to /etc/pam.d/common-password

password [success=1 userunknown=ignore default=die] pamldap.so useauthtok tryfirst_pass

Needs to become…..

password [success=1 userunknown=ignore default=die] pamldap.so tryfirstpass

Basically, removing the useauthtok enables the tryfirst*pass to successfully get processed (i believe, more) *and therefore the passwd command can then properly check the first password you type unlike the error users got before:

$ passwd Enter login(LDAP) password: passwd: Authentication information cannot be recovered passwd: password unchanged

Blog Logo

Mario Loria


Published

Image

./scriptthe.net

Because 127.0.0.1 gets old after a while.

Back to Overview