[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Notification of userPassword change in OpenLDAP?



Hi,

On 18/08/2010 23:24, Tom Leach wrote:
I'm trying to work on a password sync scheme between OpenLDAP and some
systems that use flat Unix passwd/shadow files. I have been able to
update the LDAP server when someone changes their password on the
standalone Unix systems, but I'm having problems trying to get any kind
of notification from the LDAP server if someone from a system using the
LDAP directory changes their password.

I assume you have considered setting up PAM/NSS-ldap on these machines instead of rewriting the flat files?

So far, I'm looking at searching the LDAP directory every few minutes
for any entries that have had their modifyTimestamp attribute change
since the last time the search ran, then checking to see if the
userPassword attribute in the LDAP directory is different then the
shadow file on the Unix system. This seems like a real stupid scheme,
especially when passwords are changed infrequently. I just don't want a
long delay between syncing the directory and flat files in case someone
changes their password on an LDAP client, then tries to log into the
flat file system.

Ideally, there could be some option in OpenLDAP that could call an
external program when some attribute(s) have changed. That program could
then perform the necessary searches and update the flat files if
appropriate. So far, I've found nothing indicating that this is possible
so I figured I'd ask and see if anyone else has tried this and what they
found.
Thanks!

Another approach would be to use syncrepl. Performing a search on the attribute you're interested in, and using syncrepl's cookie mechanism to be notified of changes over a persistent search, or detect changes when connecting again would allow you to get this information in your client program.

Syncrepl-enabled LDAP libraries are available in several languages now (including, IIRC Python and Java).

Take a look at some of these resources to read more about syncrepl:

http://tools.ietf.org/html/rfc4533

http://www.openldap.org/doc/admin24/replication.html#LDAP%20Sync%20Replication

http://blog.normation.com/2010/07/18/java-ldap-sdk-for-syncrepl-replication-showcase/

Hope this helps,
Jonathan
--
--------------------------------------------------------------
Jonathan Clarke - jonathan@phillipoux.net
--------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org
--------------------------------------------------------------