[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Does any have LDAP password change working with "passwd"?
Hi,
I know this setup will work perfectly, but how will root change these
passwords, if you don't want root to be an object in the database?
Probably some acl stuff, but I haven't figured it out, so I am moving to a
webified version of passwd since our helpdesk needs to be able to as well.
The way I am doing it is having a user object in ldap who only has rights
to change the userPassword attribute, and then my script will bind as that
user, and be able to change anybodies password w/out needing to know their
original password.
Andy
On Wed, 15 Aug 2001, David Wright wrote:
>
> > Is this even possible (it seems it should be)?
>
> Yes. I do, but it took some doing to get it working. First, pick a
> password scheme for OpenLDAP (in /etc/openldap/slapd.conf). I chose
> password-hash {MD5}password
> Next, tell pam_ldap to let OpenLDAP do the password hashing (in
> /etc/ldap.conf), instead of trying to do it locally.
> pam_password exop
> Of couse, if you do this, you had better use TLS or SSL LDAP
> connections. Finally, be sure you are using a very recent version of
> pam_ldap (eg pam_ldap-122), as earlier versions have a bug that makes
> exop not work with OpenLDAP. As of now, I believe none of RH's nss_ldap
> rpms contain a sufficiently recent pam_ldap.
>
> Of course, you must use a pam-ified passwd (RH does), have a reasonable
> pam password stack, eg
> password required /lib/security/pam_cracklib.so retry=3
> password sufficient /lib/security/pam_ldap.so use_authtok
> password sufficient /lib/security/pam_unix.so nullok
> use_authtok md5 shadow
> password required /lib/security/pam_deny.so
> and have configured OpenLDAP
> access to attrs=userPassword
> by self write
> to give users write access to their passwords.
>