Re: Does any have LDAP password change working with "passwd"?

[Andrew C Altepeter <aaltepet@cs.und.edu>]

Hi,

I know this setup will work perfectly, but how will root change these
passwords, if you don't want root to be an object in the database?
Probably some acl stuff, but I haven't figured it out, so I am moving to a
webified version of passwd since our helpdesk needs to be able to as well.

The way I am doing it is having a user object in ldap who only has rights
to change the userPassword attribute, and then my script will bind as that
user, and be able to change anybodies password w/out needing to know their
original password.

Andy

On Wed, 15 Aug 2001, David Wright wrote:

>
> > Is this even possible (it seems it should be)?
>
> Yes. I do, but it took some doing to get it working. First, pick a
> password scheme for OpenLDAP (in /etc/openldap/slapd.conf).  I chose
>    password-hash	{MD5}password
> Next, tell pam_ldap to let OpenLDAP do the password hashing (in
> /etc/ldap.conf), instead of trying to do it locally.
>    pam_password exop
> Of couse, if you do this, you had better use TLS or SSL LDAP
> connections. Finally, be sure you are using a very recent version of
> pam_ldap (eg pam_ldap-122), as earlier versions have a bug that makes
> exop not work with OpenLDAP. As of now, I believe none of RH's nss_ldap
> rpms contain a sufficiently recent pam_ldap.
>
> Of course, you must use a pam-ified passwd (RH does), have a reasonable
> pam password stack, eg
>    password    required      /lib/security/pam_cracklib.so retry=3
>    password    sufficient    /lib/security/pam_ldap.so use_authtok
>    password    sufficient    /lib/security/pam_unix.so nullok
> use_authtok md5 shadow
>    password    required      /lib/security/pam_deny.so
> and have configured OpenLDAP
>    access to attrs=userPassword
>      by self write
> to give users write access to their passwords.
>