[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP and PAM, does passwd change passes?

As usual, excuse me if these have been answered before, I've done some
searching but not an extensive amount.

Here's the situation, we have a file server running samba and Helios'
Ethershare (like netatalkd, for Mac file sharing), and a password file
that's shared for UID's so NFS works nicely (actual passwords (shadow) are
not the same from system to system, just UID's).  It would be nice to wrope
all those systems together because there's actually three different password
files.  It's possible for samba and ethershare to use the local unix systems
(in this case Linux) authentication schema's (although I have no idea if
they actually use PAM, I think it's just clear text to the server, then
authenticated locally using whatever?!?!).  It's also possible to have the
respective software change local user passwords using the native password
changing application (like in Mac, changing your password from the Chooser)
if you go the route of using a local unix system's accounts instead of
seperate password files.  Obviously if using seperate password files for
samba and ethershare, they can change said password file using the native
password changine app.  But then you run into the situation where a user
changes thier pass on a Mac, then logs onto a PC and doesn't understand why
it's his old pass.

So this would work great, but I'd also like to get all our Unix boxen
authenticating to a central server, an LDAP server (we run Slowlaris 2.6, 7,
and 8, as well as a slew of Linux all RH 6 or later based).  I know it's
possible to have these servers authenticate, it's just a matter of replacing
some PAM modules, etc.

The real question...
If I change my password (say using passwd on the local system), will PAM (or
other mechanisms) change the LDAP passwords?  (I no longer have a working
LDAP server to try out with).

Other questions that bug me right now...
The password in OpenLDAP is not stored in an encrypted form right?
So you have to tightly secure the box so no one grabs the local systems LDAP
database files or you're messed right?
If authenticating on box A setup to use authentication via LDAP on box B, is
the network chatter between the boxes encrypted?
Anyone have smart ideas on using seperate password files and schemas from
seperate programs and somehow have what seems to be a unified password
change?  The best I can think of is to write a CGI, have it call a shell
script that changes each password file seperately, and enforce a policy that
you only change your pass via that CGI.
What's the price of tea in China?