[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Trying to force password change in SuSE Linux, pam_ldap, openldap 2.1
fre, 19.12.2003 kl. 13.09 skrev Eric.Sammons@frit.frb.org:
> How OpenLDAP works with passwords is directly related to OpenLDAP and
> its integration with PAM.
No. Openldap doesn't "work" with passwords, if simply stores them, using
methods described in rfcs (consult the docs in the latest tarball
distribution doc/rfc directory). In this case, I don't suppose there is
much fifference between 2.0.x and 2.1.x.
> It is not as simple as OpenLDAP stores the password.
Yes it is.
> OpenLDAP also stores shadow account information
Yes.
> and the ACLs associated with OpenLDAP directly affect the way in
> which users interact with OpenLDAP,
Yes
> this includes interaction at the password level.
Yes. This is distro-dependent.
> For example I have found with certain ACLs I can get attribute
> shadowLastChanged to be strictly enforced but the user for some reason
> immediately receives a closed connection.
Possibly. This is distro-dependent.
> I can change the ACLs in OpenLDAP and suddenly shadowLastChanged is
> totally ignored.
Oh, absolutely. That's what ACLs are for ;)
> So again, I do not believe that it is just as simple as OpenLDAP
> stores the password.
Correct, it's distro-dependent.
> There is clearly some ACL issues here,
Definitely.
> there is also pam_ldap.so issues as well.
Distro-dependent (there didn't ought to be).
> Believe me this group is not the only group I have discussed this
> issue with. It is actually one of three.
Probably. You should have stuck around here.
The difficulties that *you* find with *your* particular distro and
*your* ACLs (you refuse to disclose what these are) I do not find with
RedHat Enterprise Server 3 nor RedHat 7.2. Everything that you say
doesn't work for you, does in fact work for me. Of course, I can eff up
everything by lousing up my ACLs - and have done, in the past.
> I believe in covering my bases.
Then your outstretched right hand should preferably be moved to a
different location ;)
--Tonni
--
mail: billy - at - billy.demon.nl
http://billy.demon.nl