[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Trying to force password change in SuSE Linux, pam_ldap, openldap 2.1
PAM LDAP requirements are not specific to OpenLDAP Software.
Use the pamldap@padl.com list to learn specifically what its
requirements are. That includes what information stores
and what policies (schema,access,etc.) are appropriate for the
that information.
Now, how to implement a particular policy in OpenLDAP Software
is a question specific to OpenLDAP Software. However you
didn't ask "how to implement a particular access control
policy", you asked "what are the appropriate access control
policies" for applications X, Y, Z. That's quite different.
To get good answers from this list, I suggest you make your
question specific to OpenLDAP Software. Best way is to do this
is to describe your questions using on OpenLDAP Software.
For example:
If I do this in slapd(8), why do I see this is ldapsearch(1)?
or
I want to see this in ldapsearch(1), how do I configure slapd(8)
to make that happen?
(and if if you cannot, well, that says something about your
question, does it?)
As soon as you draw in non-OpenLDAP software, many OpenLDAP Software
experts on this list will simply hit 'd'elete. This because they
just aren't familiar with the particular non-OpenLDAP software you
drew into the discussion.
Kurt
At 04:09 AM 12/19/2003, Eric.Sammons@frit.frb.org wrote:
>How OpenLDAP works with passwords is directly related to OpenLDAP and its integration with PAM. It is not as simple as OpenLDAP stores the password. OpenLDAP also stores shadow account information and the ACLs associated with OpenLDAP directly affect the way in which users interact with OpenLDAP, this includes interaction at the password level. For example I have found with certain ACLs I can get attribute shadowLastChanged to be strictly enforced but the user for some reason immediately receives a closed connection. I can change the ACLs in OpenLDAP and suddenly shadowLastChanged is totally ignored.
>
>So again, I do not believe that it is just as simple as OpenLDAP stores the password. There is clearly some ACL issues here, there is also pam_ldap.so issues as well. Believe me this group is not the only group I have discussed this issue with. It is actually one of three.
>
>I believe in covering my bases.
>
>Thanks!
>Eric Sammons
>(804)697-3925
>FRIT - Unix Systems
>
>
>
>"Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
>Sent by: owner-openldap-software@OpenLDAP.org
>
>12/18/2003 03:29 PM
> To: Eric.Sammons@frit.frb.org
> cc: openldap-software@OpenLDAP.org
> Subject: Re: Trying to force password change in SuSE Linux, pam_ldap, openldap 2.1
>
>This functionality has nothing to do with OpenLDAP Software...
>OpenLDAP itself doesn't force any password to change. (OpenLDAP
>might be used to store information used by other applications,
>but what they store and how they use it is their business.)
>Suggest you take this to a more appropriate mailing list.
>Maybe <pamldap@padl.com> or some SuSE Linux list. You can
>find some points to Linux LDAP How-to in our FAQ
><<http://www.openldap.org/faq/index.cgi?file=60>http://www.openldap.org/faq/index.cgi?file=60>.
>
>Kurt
>
>At 05:01 AM 12/17/2003, Eric.Sammons@frit.frb.org wrote:
>
>>I am running OpenLDAP v. 2.1 in my Linux environment (testing functionality). I am attempting to execute passwd -e <userid>. Run passwd --help you will see that this flag should set the force password change on next login for the given user. However, when I execute this command I get the error:
>>
>>Error changing login shell
>>
>>I am able to reset my passwd using passwd <user>, I am able to login via ssh both from ldap client only systems and the ldap server/client system. So I have some level of confidence that things are set up correctly.
>>
>>Any idea what might be going on here?
>>
>>Thanks!
>>Eric Sammons
>>(804)697-3925
>>FRIT - Unix Systems
>