[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Trying to force password change in SuSE Linux, pam_ldap, openldap 2.1




How OpenLDAP works with passwords is directly related to OpenLDAP and its integration with PAM.  It is not as simple as OpenLDAP stores the password.  OpenLDAP also stores shadow account information and the ACLs  associated with OpenLDAP directly affect the way in which users interact with OpenLDAP, this includes interaction at the password level.  For example I have found with certain ACLs I can get attribute shadowLastChanged to be strictly enforced but the user for some reason immediately receives a closed connection.  I can change the ACLs in OpenLDAP and suddenly shadowLastChanged is totally ignored.  

So again, I do not believe that it is just as simple as OpenLDAP stores the password.  There is clearly some ACL issues here, there is also pam_ldap.so issues as well.  Believe me this group is not the only group I have discussed this issue with.  It is actually one of three.

I believe in covering my bases.

Thanks!
Eric Sammons
(804)697-3925
FRIT - Unix Systems



"Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Sent by: owner-openldap-software@OpenLDAP.org

12/18/2003 03:29 PM

       
        To:        Eric.Sammons@frit.frb.org
        cc:        openldap-software@OpenLDAP.org
        Subject:        Re: Trying to force password change in SuSE Linux, pam_ldap,  openldap 2.1


This functionality has nothing to do with OpenLDAP Software...
OpenLDAP itself doesn't force any password to change.  (OpenLDAP
might be used to store information used by other applications,
but what they store and how they use it is their business.)
Suggest you take this to a more appropriate mailing list.
Maybe <pamldap@padl.com> or some SuSE Linux list.  You can
find some points to Linux LDAP How-to in our FAQ
<<http://www.openldap.org/faq/index.cgi?file=60>http://www.openldap.org/faq/index.cgi?file=60>.

Kurt

At 05:01 AM 12/17/2003, Eric.Sammons@frit.frb.org wrote:

>I am running OpenLDAP v. 2.1 in my Linux environment (testing functionality).  I am attempting to execute passwd -e <userid>.  Run passwd --help you will see that this flag should set the force password change on next login for the given user.  However, when I execute this command I get the error:
>
>Error changing login shell
>
>I am able to reset my passwd using passwd <user>, I am able to login via ssh both from ldap client only systems and the ldap server/client system.  So I have some level of confidence that things are set up correctly.
>
>Any idea what might be going on here?
>
>Thanks!
>Eric Sammons
>(804)697-3925
>FRIT - Unix Systems