This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--Apple-Mail-3-313321798
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed

Hi, I've set up ldap authentication on my NetBSD 3.1 system parallell  
to my local users, everything works, login, ssh, su except passwd. As  
it is, only root is able to change the password of an ldap user  
(note: it is NOT set in the local passwd database).

If the ldap user tries to run passwd they're asked for the old  
password, and upon entry they get;

Unable to change auth token: permission denied

Now I have tested this out, and the LDAP account that I use for  
managing the affairs of nss and pam are able to edit the requisite  
fields. There is no difference other than that root is asked for the  
old password if I disbale the usage of rootbinddn. Also the user  
(self) is able to write to their own password field.

It seems to me that there is some--possibly archaic--quirk in the  
password system that is blocking the user from changing their  
password; and so I ask for enlightenment :-)

There is quite alot of configuration files here, instead of spamming  
everything here I'll let you request anything you feel is pertinent.

Yours,
  Staffan



--Apple-Mail-3-313321798
content-type: application/pgp-signature; x-mac-type=70674453;
	name=PGP.sig
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (Darwin)

iD8DBQFGXMGUEbvWbnx+LvgRAj9iAJ45yH2nTTHS/Hk2eSBdqmAMj/uzaACdFlrK
DUbM27kymBDzO7JxCknng4g=
=zQJJ
-----END PGP SIGNATURE-----

--Apple-Mail-3-313321798--