Re: Best multi-password password changing setup

[Dan White <dwhite@olp.net>]

Buchan,

pwdutils should perform the exop for you, in addition to the 
following:

Make use of the chage command to maintain shadowMin, shadowMax, 
shadowWarning and shadowExpire attributes, assuming your users 
have shadowAccount.

Update shadow expiry information when the passwd command is
executed (the passwd command from pwdutils).

That should help handle shell/PAM authentications.

That doesn't solve your situation with samba/kerberos 
expirations, but you may be able to wrap passwd with a script and 
update the appropriate attributes based on the existing shadow attrs.

- Dan White

Buchan Milne wrote:
> On Thursday 11 October 2007 20:55:51 Dan White wrote:
> > Buchan,
> >
> > You may want to investigate pwdutils:
> >
> > http://www.thkukuk.de/pam/pwdutils/
> >
> > The website it a little dated, but the software appears to be
> > more actively maintained at:
> >
> > ftp://ftp.us.kernel.org/pub/linux/utils/net/NIS
>
> I don't see anything in the current version that would alleviate my problems.
>
> Maybe I was not clear enough. I am not looking for a tool to just change an 
> LDAP password (I use ldappasswd for that currently, and it changes Samba 
> passwords too via the smbk5passwd overlay) or provision accounts to LDAP 
> etc. . I am looking for a solution to ensure that, whichever mechanisms I 
> decide to allow for password changes (e.g. LDAP password change exop), all 
> aspects related to the use of that password are updated consistently, for use 
> via simple binds, authentication via Samba/NTLM/MSCHAPv2, and Kerberos. At 
> present I see no means to accomplish this (at most you can get 2/3).
>
> pwdutils seems mostly to be similar in function to what I am currently using 
> smbldap-tools for (but this function will probably be moved to some in-house 
> software).
>
> Regards,
> Buchan