There are guides like this one which look at this issue thoroughly.
I find this quite difficult to answer, given all the variables. Since samba and openldap need some extra configuration, an answer here might not be complete.
After much research and testing. Here is the answer to allowing users to use passwd
function to change their password when they are using SSSD with ldap backend. If they can indeed authenticate with their password via ssh to the SSSD client, then the problem of changing their password which produces the following: "passwd: Authentication token manipulation error" comes from the LDAP ACL. Need self write access to userPassword Attribute
Add the following to your ldap config file when using olc. Edit olcDatabase={2}bdb.ldif olcAccess
:
{0}to attrs=userPassword,shadowLastChange by self write by anonymous
auth by dn="cn=Manager,dc=domain.com" write by * none
Make sure you add some more to allow reads and writes for any other attributes you want.
olcAccess: {2}to * by * read by users read by anonymous auth
You just have to do it once for all users. {0}to attrs=userPassword
... just as I listed above is applied as an ACL to the ldap server and applied globally. If you edit the olcDatabase={2}bdb.ldif olcAccess
manually you have to change the CRC, but thats easy as there are many readmes on that.
The other user posted changing bind credentials on the clients /etc/sssd/sssd.conf
like this:
ldap_default_bind_dn = cn=Manager,dc=mydomain,dc=fqdn.com ldap_default_authtok_type = password ldap_default_auttok = secret
Modifying in /etc/sssd/sssd.conf
bind credentials didn't work for me, but allowing users to selfwrite their userPassword attribute did... You may not always want this, but for using the passwd function on linux clients with SSSD and LDAP backend you need it.
Best Answer
in the slapd.conf write access control rule
But you should be aware that specific rules are to be written first and general rule at the end.
for example following rule has to be written at the end.
for more information visit: http://www.openldap.org/doc/admin24/access-control.html
MORE INFO
slapd.conf is generally located in
There are some changes in newer versions of ldap where slapd.conf is supported but by default the data is stored in slapd.d directory. if you put your custom slapd.conf there, the process will read slapd.conf instead of slapd.d directory
Things to notice