Running RH5 with openldap-2.3.43. We have a script that pulls ssha
passwords from a ldap server out of our control. So when a user updates
their passwords on that server, the script pulls the password
periodically and updates our ldap servers so users can use our ldap
servers with posix attributes to authenticate to systems using ldap and
pam settings.
We need to inactivate accounts after a period of inactivity. We can do
this using the shadowInactive attribute in ldap that is based on when
the user password expired.
So the issue we have is that when the user logs into a system and their
accounts are expired they can enter a new password and our ldap servers
our updated with the new password, but when the script runs at a later
time, the password is reset back to whatever is in the ldap server we
pull passwords from. We would like users to not be able to change their
password using the password command. We can accomplish this in a few
ways including:
1. pam_password_prohibit_message in ldap.conf
2. Just commenting out the ldap module in pam that controls password
updates.
The problem is that we have a small group of users that are added
manually that we would like to be able to change their passwords using
the passwd command. The above will impact all users. We are looking
for suggestions on how to handle the above. We thought of the
following:
1. Use the ppolocy overlay and create a default policy for all users
that sets pwdAllowUserChange to no and then create individual policies
to that allow certain users to change their pass.
In this method, what happens to all the shadow attributes, are they
overwridden by the ppolicy. I don't see anything regarding Inactive
accounts in ppolicy like the shadowInactive attribute.
2. Could we accomplish this by figuring out a ACL in slapd.conf that
only users with a special attribute value are able to write to the
userPassword attribute?