[Date Prev][Date Next]
Re: Does any have LDAP password change working with "passwd"?
Is this even possible (it seems it should be)?
Yes. I do, but it took some doing to get it working. First, pick a
password scheme for OpenLDAP (in /etc/openldap/slapd.conf). I chose
Next, tell pam_ldap to let OpenLDAP do the password hashing (in
/etc/ldap.conf), instead of trying to do it locally.
Of couse, if you do this, you had better use TLS or SSL LDAP
connections. Finally, be sure you are using a very recent version of
pam_ldap (eg pam_ldap-122), as earlier versions have a bug that makes
exop not work with OpenLDAP. As of now, I believe none of RH's nss_ldap
rpms contain a sufficiently recent pam_ldap.
Of course, you must use a pam-ified passwd (RH does), have a reasonable
pam password stack, eg
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_ldap.so use_authtok
password sufficient /lib/security/pam_unix.so nullok
use_authtok md5 shadow
password required /lib/security/pam_deny.so
and have configured OpenLDAP
access to attrs=userPassword
by self write
to give users write access to their passwords.