[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Trying to force password change in SuSE Linux, pam_ldap, openldap 2.1

To: openldap-software@OpenLDAP.org
Subject: Re: Trying to force password change in SuSE Linux, pam_ldap, openldap 2.1
From: Tony Earnshaw <tonye@billy.demon.nl>
Date: Fri, 19 Dec 2003 16:33:55 +0100
In-reply-to: <20031219120924.1AD1485803@p3fed1.frb.org>
Organization: Billy
References: <20031219120924.1AD1485803@p3fed1.frb.org>

fre, 19.12.2003 kl. 13.09 skrev Eric.Sammons@frit.frb.org:

> How OpenLDAP works with passwords is directly related to OpenLDAP and
> its integration with PAM.

No. Openldap doesn't "work" with passwords, if simply stores them, using
methods described in rfcs (consult the docs in the latest tarball
distribution doc/rfc directory). In this case, I don't suppose there is
much fifference between 2.0.x and 2.1.x.

>   It is not as simple as OpenLDAP stores the password.

Yes it is.

>   OpenLDAP also stores shadow account information

Yes.

> and the ACLs  associated with OpenLDAP directly affect the way in
> which users interact with OpenLDAP,

Yes

>  this includes interaction at the password level.

Yes. This is distro-dependent.

> For example I have found with certain ACLs I can get attribute
> shadowLastChanged to be strictly enforced but the user for some reason
> immediately receives a closed connection.

Possibly. This is distro-dependent.

>   I can change the ACLs in OpenLDAP and suddenly shadowLastChanged is
> totally ignored.

Oh, absolutely. That's what ACLs are for ;)

> So again, I do not believe that it is just as simple as OpenLDAP
> stores the password.

Correct, it's distro-dependent.

>   There is clearly some ACL issues here,

Definitely.

>  there is also pam_ldap.so issues as well.

Distro-dependent (there didn't ought to be).

>   Believe me this group is not the only group I have discussed this
> issue with.  It is actually one of three.

Probably. You should have stuck around here.

The difficulties that *you* find with *your* particular distro and
*your* ACLs (you refuse to disclose what these are) I do not find with
RedHat Enterprise Server 3 nor RedHat 7.2. Everything that you say
doesn't work for you, does in fact work for me. Of course, I can eff up
everything by lousing up my ACLs - and have done, in the past.

> I believe in covering my bases.

Then your outstretched right hand should preferably be moved to a
different location ;)

--Tonni
 
-- 
mail: billy - at - billy.demon.nl
http://billy.demon.nl

References:
- Re: Trying to force password change in SuSE Linux, pam_ldap, openldap 2.1
  - From: Eric.Sammons@frit.frb.org

Prev by Date: Re: Authentication Confusion
Next by Date: Re: Problems with the file core.schema included with OpenLDAP2.1.22 & 2.1.25
Index(es):
- Chronological
- Thread