Re: passwd(1) and LDAP (was Re: FreeBSD 7.0, Open LDAP, PAM, TLS and NSS, howto?)
On Monday 01 October 2007 20:29, Brian A. Seklecki wrote: > On Mon, 1 Oct 2007, Jonathan McKeown wrote: > > The passwd(1) program was rewritten some time ago to use PAM, but a test > > was left in which prevents it doing so. I have asked, both on this list > > and on freebsd-hackers in the last few weeks, whether there is any reason > > other than historical to leave this test in, and been deafened by the > > silence. There are a couple of PRs either open or suspended regarding > > this issue. > > > > I diked out the whole switch statement and replaced it with a single > > printf, and it works for changing LDAP passwords. I haven't thoroughly > > tested to see if it causes any other problems. > > Does it log in as the LDAP user or the PAM super-user to do the attribute > change? I'll check out the source...but that's great news. ~BAS From what I remember you have to add some additional configuration in the pam_ldap config file - pam_password exop seems to ring a bell - which tells pam_ldap to use the RFC3062 Password Modify extended operation. I think it does it as the user who owns the password so you need something like access to attrs=userPassword by self write by * auth in slapd.conf. I was actually fiddling with this to try and get pam_pGINA working: if anyone has had any joy with that I'd be interested to hear about it. Jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: passwd(1) and LDAP (was Re: FreeBSD 7.0, Open LDAP, PAM, TLS and NSS, howto?)
Does it log in as the LDAP user or the PAM super-user to do the attribute change? I'll check out the source...but that's great news. ~BAS On Mon, 1 Oct 2007, Jonathan McKeown wrote: On Friday 28 September 2007 16:29, Brian A. Seklecki wrote: FreeBSD 5.x and 6.x work fine with both PAM and NSS -> LDAP w/ TLS (PKI). All other services (RADIUS, Apache ((mod_ldap, mod_pam_auth), PHP, interactive shell, SFTP, etc.) can be tied into LDAP either directly or via PAM. As for password change, I don't know if anyone has a passwd(1) binary that properly changes the LDAP password attribute -- if there is and its out there, it requires ACL insanity. The passwd(1) program was rewritten some time ago to use PAM, but a test was left in which prevents it doing so. I have asked, both on this list and on freebsd-hackers in the last few weeks, whether there is any reason other than historical to leave this test in, and been deafened by the silence. There are a couple of PRs either open or suspended regarding this issue. I diked out the whole switch statement and replaced it with a single printf, and it works for changing LDAP passwords. I haven't thoroughly tested to see if it causes any other problems. Jonathan l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ "Guilty? Yeah. But he knows it. I mean, you're guilty. You just don't know it. So who's really in jail?" ~Maynard James Keenan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"