Password change fail LDAP

Alexander E. Patrakov patrakov at
Sat Nov 6 21:03:49 PST 2004

John Lane wrote:

>> Alternatively, you can drop this "cn=nssldap,ou=DSA,dc=jelweb,dc=com"
> entry
>> at all since it is a duplicate of Manager. Just use Manager instead in
>> nss-ldap and pam-ldap configuration.

> Thanks very much, that works! (well, almost)
> I'm not sure what you mean abut dropping the
> "cn=nssldap,ou=DSA,dc=jelweb,dc=com" entry. I tried to delete the
> rootbinddn from ldap.con but it no longer worked.

I meant that you now have two passwords that allow you the full access to
your LDAP server:

1) cn=Manager,dc=jelweb,dc=com - listed as rootdn in slapd.conf with the
password written there in rootpw statement
2) cn=nssldap,ou=DSA,dc=jelweb,dc=com - listed in ACL, with the password
kept in LDAP database itself.

There is no good reason to keep both. Depending on which one you want to
keep, do one of the following:

1) You decided to keep only cn=Manager,dc=jelweb,dc=com (this is a bit less
secure). In ldap.conf, mention rootbinddn cn=Manager,dc=jelweb,dc=com, and
put his password into ldap.secret. Delete the
cn=nssldap,ou=DSA,dc=jelweb,dc=com entry from your ldap server. Then delete
the additional ACL you added earlier because I told you so.

2) You decided to go rootless and delete the Manager. The only required
change is to delete the rootdn and rootpw lines from slapd.conf.

> "pam_password sshd" in /etc/openldap/ldap.conf.

Typo? "ssha" is valid, "sshd" is not. The correct thing for OpenLDAP is,
however, "exop".

Alexander E. Patrakov

More information about the blfs-support mailing list