[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Does any have LDAP password change working with "passwd"?

Is this even possible (it seems it should be)?

Yes. I do, but it took some doing to get it working. First, pick a password scheme for OpenLDAP (in /etc/openldap/slapd.conf). I chose
password-hash {MD5}password
Next, tell pam_ldap to let OpenLDAP do the password hashing (in /etc/ldap.conf), instead of trying to do it locally.
pam_password exop
Of couse, if you do this, you had better use TLS or SSL LDAP connections. Finally, be sure you are using a very recent version of pam_ldap (eg pam_ldap-122), as earlier versions have a bug that makes exop not work with OpenLDAP. As of now, I believe none of RH's nss_ldap rpms contain a sufficiently recent pam_ldap.

Of course, you must use a pam-ified passwd (RH does), have a reasonable pam password stack, eg
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_ldap.so use_authtok
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so
and have configured OpenLDAP
access to attrs=userPassword
by self write
to give users write access to their passwords.