[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Password consistancy in the LDAP database

I wrote my admin tools in perl.  There is an md5 module for perl for this kinda
stuff.  There is also 'directory administrator'.  Search on freshmeat.net.  It
supports md5 passwds.  Writing a little cgi for them to change their password is
really easy.  I wrote a library for webmin to facilitate managing users and
groups.  it is a kludge and probably insecure in its current state but I am
pretty bad with programming.  This goes to show that there are ways to do what
you are asking with little skill.  :)

TO answer your other question about passwd, i do not know.  I think that if you
are using pam, passwd will follow what pam says and do the magic for you,
including md5.

Terry Davis
Systems Administrator
BirdDog Solutions, Inc.

Quoting nate <ldap@aphroland.org>:

 For those that are using openldap for authentication,
 how do you handle passwords?  e.g. i plan on using
 MD5 passwords, mainly because traditionally MD5
 has provided stronger encryption of passwords then
 crypt (at least for /etc/shadow), but the problem
 is all of the utils i have found so far (web based
 mostly) only support the crypt password hash.
 Another thing i was thinking was just hardcode
 the password for each user, give them the password,
 and revoke their rights to write to that field.
 Does the  'passwd' utility work reliably for
 changing LDAP passwords(thats one feature i
 have yet to try). I read a couple places
 it was not, but i think the sites were
 referring to a different version of the pam_ldap
 modules. I plan to use LDAP primarily on solaris
 and Linux(mostly debian 2.2 and 3.0).
 thanks to everyone for the help, i got 3 LDAP
 servers running(2 slave), replicating over
 SSL(stunnel, less complicated at this
 point then trying to get them to talk native
 SSL, and stunnel has been a very reliable
 program for me so i trust it's reliablity),
 setup round-robin DNS for the 2 slave
 LDAP servers, have netscape roaming working
 now if only mozilla/netscape6 supported LDAP
 and/or roaming! i was shocked to see the
 latest netscape 6 still didn't support LDAP