Hi, we are trying to find the best way to change users' passwords from outside Debian Edu.
Debian Edu has three sets of credentials per user: * LDAP auth scheme and password hash for simple bind * Samba NT?LM hashes * Kerberos principal keys In order to ensure they are kept in sync, Debian Edu enforces using GOsa to change passwords. GOsa has knowledge of an LDAP manager account and can call all the utilities needed to update Samba and Kerberos credentials. However, in order to better integrate AlekSIS, it would be desirable to be able to change passwords from outside Debian Edu / GOsa. One obvious way would be to SSH into Debian Edu and jsut do what GOsa would do, but that's a somewhat nasty hack. In other LDAP setups, we just call the LDAP password modify operation, and rely on LDAP to do the right thing. These are Heimdal Kerberos setups, where we can leverage the smbk5pwd overlay in LDAP itself to keep the cerdentials in sync. There is an equivalent for MIT Kerberos, smbkrb5pwd, but it… …is not in Debian …looks somewhat unmaintained …requires Kerberos and other user data to be in separate LDAP objects (which is funny, because smbk5pwd for Heimdal requires exactly the opposite) Maybe someone here has any idea on how this could be done, without falling back to writing expect scripts that call cli utilities? Cheers, Nik -- Dominik George (1. Vorstandsvorsitzender, pädagogischer Leiter) Teckids e.V. — Digitale Freiheit mit Jugend und Bildung https://www.teckids.org/
