[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Does any have LDAP password change working with "passwd"?

Also, if doing replication, be sure to use a recent CVS snapshot (preferably
from the REL_ENG_2 branch, I think....) or 2.0.12 when it's released. 2.0.11
has a bug where it doesn't replicate passwords changed via the extended
operation (this includes using ldappassword....) At least, this is true for
back-ldbm. I have no idea about other backends. I've never used them.

> -----Original Message-----
> From: David Wright [mailto:ichbin@heidegger.rprc.washington.edu]
> Sent: Wednesday, August 15, 2001 3:00 AM
> To: Dax Kelson; pamldap@padl.com; openLDAP-software@OpenLDAP.org
> Subject: Re: Does any have LDAP password change working with "passwd"?
> > Is this even possible (it seems it should be)?
> Yes. I do, but it took some doing to get it working. First, pick a 
> password scheme for OpenLDAP (in /etc/openldap/slapd.conf).  I chose
>    password-hash	{MD5}password
> Next, tell pam_ldap to let OpenLDAP do the password hashing (in 
> /etc/ldap.conf), instead of trying to do it locally.
>    pam_password exop
> Of couse, if you do this, you had better use TLS or SSL LDAP 
> connections. Finally, be sure you are using a very recent version of 
> pam_ldap (eg pam_ldap-122), as earlier versions have a bug that makes 
> exop not work with OpenLDAP. As of now, I believe none of 
> RH's nss_ldap 
> rpms contain a sufficiently recent pam_ldap.
> Of course, you must use a pam-ified passwd (RH does), have a 
> reasonable 
> pam password stack, eg
>    password    required      /lib/security/pam_cracklib.so retry=3
>    password    sufficient    /lib/security/pam_ldap.so use_authtok
>    password    sufficient    /lib/security/pam_unix.so nullok 
> use_authtok md5 shadow
>    password    required      /lib/security/pam_deny.so
> and have configured OpenLDAP
>    access to attrs=userPassword
>      by self write
> to give users write access to their passwords.