[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Does any have LDAP password change working with "passwd"?
Also, if doing replication, be sure to use a recent CVS snapshot (preferably
from the REL_ENG_2 branch, I think....) or 2.0.12 when it's released. 2.0.11
has a bug where it doesn't replicate passwords changed via the extended
operation (this includes using ldappassword....) At least, this is true for
back-ldbm. I have no idea about other backends. I've never used them.
> -----Original Message-----
> From: David Wright [mailto:ichbin@heidegger.rprc.washington.edu]
> Sent: Wednesday, August 15, 2001 3:00 AM
> To: Dax Kelson; pamldap@padl.com; openLDAP-software@OpenLDAP.org
> Subject: Re: Does any have LDAP password change working with "passwd"?
>
>
>
> > Is this even possible (it seems it should be)?
>
> Yes. I do, but it took some doing to get it working. First, pick a
> password scheme for OpenLDAP (in /etc/openldap/slapd.conf). I chose
> password-hash {MD5}password
> Next, tell pam_ldap to let OpenLDAP do the password hashing (in
> /etc/ldap.conf), instead of trying to do it locally.
> pam_password exop
> Of couse, if you do this, you had better use TLS or SSL LDAP
> connections. Finally, be sure you are using a very recent version of
> pam_ldap (eg pam_ldap-122), as earlier versions have a bug that makes
> exop not work with OpenLDAP. As of now, I believe none of
> RH's nss_ldap
> rpms contain a sufficiently recent pam_ldap.
>
> Of course, you must use a pam-ified passwd (RH does), have a
> reasonable
> pam password stack, eg
> password required /lib/security/pam_cracklib.so retry=3
> password sufficient /lib/security/pam_ldap.so use_authtok
> password sufficient /lib/security/pam_unix.so nullok
> use_authtok md5 shadow
> password required /lib/security/pam_deny.so
> and have configured OpenLDAP
> access to attrs=userPassword
> by self write
> to give users write access to their passwords.
>