So I've got openldap running (system details below), and user accounts
authenticating against it, all quite nice. However, the one thing I haven't
figured out is what I need to set up, and how to set it up, so that I can
change a user's password without knowing their old password, i.e. the
forgotten password use case.
I've searched and sifted through lots of documentation, but can't quite
find something that nails it. I'm sure it must be in the archive for this
list, but I'm clearly not using the right search terms.
Two key requirements are:
* I do not want to store the ldap admin password in clear text on a
filesystem, even if it's in a root-readable-only file. I believe rootbinddn
could be used if I didn't mind this.
* It shouldn't be overly awkward. Using the passwd command or
something similar that works like a traditional Unix system is
what I have in mind. At the moment the best I can do is manually
poke a hashed string into the appropriate ldap record, which is
awkard.
Surely I'm not the only one who isn't comfortable putting the unhashed
admin password in a cleartext file, so there must be a solution out
there.
Otherwise, perhaps I will have to write a script that prompts for the
admin password, and then hashes the new user password and uses
ldapmodify to poke it into the ldap record.
My system details are:
Debian Linux with the following packages:
ldap-utils/testing uptodate 2.1.23-1
libldap2-dev/testing uptodate 2.1.23-1
libldap2/testing uptodate 2.1.23-1
libnss-ldap/testing uptodate 211-4
libpam-ldap/testing uptodate 164-2
Configuration files are attached.
Thanks for any help, pointers to FAQ items, online howtos, or other specific
RTFM pointers are more than welcome.
Thanks,
Kief