So my users weren’t able to use the passwd command after I implemented LDAP auth on a specific client.

Here’s a quick fix to /etc/pam.d/common-password

password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass

Needs to become…..

password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass

Basically, removing the use*authtok enables the try*first*pass to successfully get processed (i believe, more) *and therefore the passwd command can then properly check the first password you type unlike the error users got before:

$ passwd Enter login(LDAP) password: passwd: Authentication information cannot be recovered passwd: password unchanged

Mario Loria is a builder of diverse infrastructure with modern workloads on both bare-metal and cloud platforms. He's traversed roles in system administration, network engineering, and DevOps. You can learn more about him here.