[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Changing lost passwords

To: Kief Morris <openldap@kief.com>
Subject: Re: Changing lost passwords
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Fri, 27 Feb 2004 06:55:20 -0800
Cc: openLDAP-software@OpenLDAP.org
In-reply-to: <4.3.2.7.2.20040227104251.02bfae40@wheresmymailserver.com>
References: <4.3.2.7.2.20040227104251.02bfae40@wheresmymailserver.com>

For OpenLDAP, you can change directory user's password
using either ldappasswd(1) or ldapmodify(1). 

However, it seems this is more of an nss/pam ldap issue
than an OpenLDAP issue.  That is, it seems you are talking
about operating system account passwords.  Please use either
nss_ldap@padl.com or pam_ldap@padl.com to discuss issues
with nss/ldap and pam/ldap, respectively.

Kurt

At 02:43 AM 2/27/2004, Kief Morris wrote:
>So I've got openldap running (system details below), and user accounts 
>authenticating against it, all quite nice. However, the one thing I haven't 
>figured out is what I need to set up, and how to set it up, so that I can
>change a user's password without knowing their old password, i.e. the
>forgotten password use case.
>
>I've searched and sifted through lots of documentation, but can't quite
>find something that nails it. I'm sure it must be in the archive for this
>list, but I'm clearly not using the right search terms. 
>
>Two key requirements are:
>
>* I do not want to store the ldap admin password in clear text on a 
>  filesystem, even if it's in a root-readable-only file. I believe rootbinddn
>  could be used if I didn't mind this.
>
>* It shouldn't be overly awkward. Using the passwd command or
>  something similar that works like a traditional Unix system is 
>  what I have in mind. At the moment the best I can do is manually
>  poke a hashed string into the appropriate ldap record, which is
>  awkard.
>
>Surely I'm not the only one who isn't comfortable putting the unhashed
>admin password in a cleartext file, so there must be a solution out
>there.
>
>Otherwise, perhaps I will have to write a script that prompts for the
>admin password, and then hashes the new user password and uses
>ldapmodify to poke it into the ldap record.
>
>My system details are:
>
>Debian Linux with the following packages:
>
>        ldap-utils/testing uptodate 2.1.23-1
>        libldap2-dev/testing uptodate 2.1.23-1
>        libldap2/testing uptodate 2.1.23-1
>        libnss-ldap/testing uptodate 211-4
>        libpam-ldap/testing uptodate 164-2
>
>Configuration files are attached.
>
>Thanks for any help, pointers to FAQ items, online howtos, or other specific
>RTFM pointers are more than welcome.
>
>Thanks,
>Kief 
>
>
>

References:
- Changing lost passwords
  - From: Kief Morris <openldap@kief.com>

Prev by Date: Re: multi-attribute authentication
Next by Date: Re: Corrupted LDAP
Index(es):
- Chronological
- Thread