On Mon, 2012-10-01 at 17:03 -0400, Qing Chang wrote:
> In a thread on Freeipa-devel titled "freeIPA as a samba backend" there
> is a statement as below:
> IPA will keep all of your passwords in sync - userPassword,
> sambaNTPassword, sambaLMPassword, and your kerberos passwords.
> 389 cannot do this - the functionality that does this is provided by
> an IPA password plugin. Openldap has a similar plugin, but I
> think it is "contrib" and not "officially supported".
> Can someone please point me to where I can find this plugin and
> configured it to keep all passwords listed above in sync?
The plugin is automatically enabled in IPA, it is the only way to change
> I am unable to find detailed information on password plugin in IPA 2.2
> My intention is to provide my Windows users (accounts on IPA server)
> IPA web interface only for changing their password.
If you need to write a tool to change passwords keep in ming you can use
ldappasswd and pass it old/new user password.
> I am using Samba 3.0.23d as a standalone server because this is a last
> version that does not check for SIDs strictly...
more recent versions of samba can also use the ldappasswd method.
Simo Sorce * Red Hat, Inc * New York
Freeipa-users mailing list