[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Trying to force password change in SuSE Linux, pam_ldap, openldap 2.1

fre, 19.12.2003 kl. 13.09 skrev Eric.Sammons@frit.frb.org:

> How OpenLDAP works with passwords is directly related to OpenLDAP and
> its integration with PAM.

No. Openldap doesn't "work" with passwords, if simply stores them, using
methods described in rfcs (consult the docs in the latest tarball
distribution doc/rfc directory). In this case, I don't suppose there is
much fifference between 2.0.x and 2.1.x.

>   It is not as simple as OpenLDAP stores the password.

Yes it is.

>   OpenLDAP also stores shadow account information


> and the ACLs  associated with OpenLDAP directly affect the way in
> which users interact with OpenLDAP,


>  this includes interaction at the password level.

Yes. This is distro-dependent.

> For example I have found with certain ACLs I can get attribute
> shadowLastChanged to be strictly enforced but the user for some reason
> immediately receives a closed connection.

Possibly. This is distro-dependent.

>   I can change the ACLs in OpenLDAP and suddenly shadowLastChanged is
> totally ignored.

Oh, absolutely. That's what ACLs are for ;)

> So again, I do not believe that it is just as simple as OpenLDAP
> stores the password.

Correct, it's distro-dependent.

>   There is clearly some ACL issues here,


>  there is also pam_ldap.so issues as well.

Distro-dependent (there didn't ought to be).

>   Believe me this group is not the only group I have discussed this
> issue with.  It is actually one of three.

Probably. You should have stuck around here.

The difficulties that *you* find with *your* particular distro and
*your* ACLs (you refuse to disclose what these are) I do not find with
RedHat Enterprise Server 3 nor RedHat 7.2. Everything that you say
doesn't work for you, does in fact work for me. Of course, I can eff up
everything by lousing up my ACLs - and have done, in the past.

> I believe in covering my bases.

Then your outstretched right hand should preferably be moved to a
different location ;)

mail: billy - at - billy.demon.nl