On 2007-10-24 at 16:57 -0500, Peter da Silva wrote:
> An entirely reasonable question. The answer I was given on one occasion I
> brought it up was that LDAP was designed for read-only access and
> read-write is cobbled on the side, often implemented in a completely insane
> manner, and writing is often either all-or-none, insecure, or both.
And yet password changing in LDAP is precisely standards-specified.
3062 LDAP Password Modify Extended Operation. K. Zeilenga. February
2001. (Format: TXT=11807 bytes) (Status: PROPOSED STANDARD)
A wrapper script to avoid the whole PAM mess and just provide passwd(1)
compatibility by also calling ldappasswd from OpenLDAP? Crude but
effective? Or do users need to be able to change passwords from GUI
tools and automatically at login with (*spit*) expiration policies?
-Phil
