[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Password change synchronization
punith punith skrev, on 20-02-2008 03:51:
I am doing authentication using OpenLDAP and I think it is best place to
ask my problem.
Seem the right one to me :)
What I require is, I have to run a shell script when the user changes
password.
ie Suppose that a user is changed his OpenLDAP pasword, I want to
trigger a shell script which updates oracle login password.
Is it possible with Openldap?
If so, how and where to keep the shell script?
At my main site I use different shell scripts both for looking at the
LDAP db and measuring different parameters and taking action on them, as
well as looking at other factors (such as whether IMAP Maildir
directories have been created for LDAP users) and taking action on
those. I'm doing something similar to what you want and it's as well to
point out that the site uses ppolicy for posixAccounts and I don't think
I could do it without (can for Samba, but that's another matter), since
it has the standard attribute pwdChangedTime.
1: So yes, it's possible to do this with OpenLDAP.
2: "How" is totally dependent on your shell scripting capabilities and
experience. Basic scripting I've been able to do since day 1 of my Unix
life more than 10 years ago, LDAP-specific scripting (e.g. using
OpenLDAP tools, using HERE docs instead of writing to temporary files,
etc.) I taught myself later by looking at what certain others had done,
using my imagination and adapting. One of the people from whom I grabbed
the basic idea years ago is Johan Vriesman (http://www.vriesman.tk/). I
didn't grab what he was trying to do, just how he does it and twist that
so it became sensible. But always look at what others are doing and how.
For example sometimes I have to use bc and sed to do simple math for
comparing integer attributes and it's as well to know how in a shell script.
3: Where to keep the scripts is totally up to you. Most of my scripts
don't involve any privileged system users, but do involve knowing a
privileged LDAP user's password. They can be run by anyone and kept
anywhere. Many of the scripts are called from cron, so these users
should have POSIX accounts, for the most part as mortals.
HTH,
--Tonni
--
Tony Earnshaw
Email: tonni at hetnet dot nl