[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Changing lost passwords

For OpenLDAP, you can change directory user's password
using either ldappasswd(1) or ldapmodify(1). 

However, it seems this is more of an nss/pam ldap issue
than an OpenLDAP issue.  That is, it seems you are talking
about operating system account passwords.  Please use either
nss_ldap@padl.com or pam_ldap@padl.com to discuss issues
with nss/ldap and pam/ldap, respectively.


At 02:43 AM 2/27/2004, Kief Morris wrote:
>So I've got openldap running (system details below), and user accounts 
>authenticating against it, all quite nice. However, the one thing I haven't 
>figured out is what I need to set up, and how to set it up, so that I can
>change a user's password without knowing their old password, i.e. the
>forgotten password use case.
>I've searched and sifted through lots of documentation, but can't quite
>find something that nails it. I'm sure it must be in the archive for this
>list, but I'm clearly not using the right search terms. 
>Two key requirements are:
>* I do not want to store the ldap admin password in clear text on a 
>  filesystem, even if it's in a root-readable-only file. I believe rootbinddn
>  could be used if I didn't mind this.
>* It shouldn't be overly awkward. Using the passwd command or
>  something similar that works like a traditional Unix system is 
>  what I have in mind. At the moment the best I can do is manually
>  poke a hashed string into the appropriate ldap record, which is
>  awkard.
>Surely I'm not the only one who isn't comfortable putting the unhashed
>admin password in a cleartext file, so there must be a solution out
>Otherwise, perhaps I will have to write a script that prompts for the
>admin password, and then hashes the new user password and uses
>ldapmodify to poke it into the ldap record.
>My system details are:
>Debian Linux with the following packages:
>        ldap-utils/testing uptodate 2.1.23-1
>        libldap2-dev/testing uptodate 2.1.23-1
>        libldap2/testing uptodate 2.1.23-1
>        libnss-ldap/testing uptodate 211-4
>        libpam-ldap/testing uptodate 164-2
>Configuration files are attached.
>Thanks for any help, pointers to FAQ items, online howtos, or other specific
>RTFM pointers are more than welcome.