[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Notification of userPassword change in OpenLDAP?



Tom Leach wrote:
I'm trying to work on a password sync scheme between OpenLDAP and some
systems that use flat Unix passwd/shadow files.  I have been able to
update the LDAP server when someone changes their password on the
standalone Unix systems, but I'm having problems trying to get any kind
of notification from the LDAP server if someone from a system using the
LDAP directory changes their password.

So far, I'm looking at searching the LDAP directory every few minutes
for any entries that have had their modifyTimestamp attribute change
since the last time the search ran, then checking to see if the
userPassword attribute in the LDAP directory is different then the
shadow file on the Unix system.  This seems like a real stupid scheme,
especially when passwords are changed infrequently.  I just don't want a
long delay between syncing the directory and flat files in case someone
changes their password on an LDAP client, then tries to log into the
flat file system.

Ideally, there could be some option in OpenLDAP that could call an
external program when some attribute(s) have changed.  That program
could then perform the necessary searches and update the flat files if
appropriate.  So far, I've found nothing indicating that this is
possible so I figured I'd ask and see if anyone else has tried this and
what they found.
Thanks!
Tom Leach
leach@coas.oregonstate.edu

In the old Symas Connexitor EMS product we simply put a slapd on top of /etc/passwd, /etc/shadow, and /etc/group (that is, these flat files provide the backing store for the database that this slapd exposes) and then replicate account updates to it from a central master. You could accomplish much the same thing today using a client reading an accesslog DB.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/