| View previous topic :: View next topic |
| Author |
Message |
alwyn
Tux's lil' helper
Joined: 21 May 2003
Posts: 140
|
 Posted: Tue Apr 19, 2005 2:53 am Post subject: LDAP tool for users to manage their passwords? |
 |
|
Hi,
I'm looking for an easy tool with which users can modify their passwords in ldap.
Or is there a better way to do it? |
|
| Back to top |
|
 |
arch4nge1
n00b
Joined: 11 Aug 2004
Posts: 57
|
| Posted: Tue Apr 19, 2005 4:39 am Post subject: |
|
|
I thought there was a way to expire passwords and it would do it in PAM naturally for users upon login.
However, it depends whether you're using LDAP to authenticate PAM or whether you're using it for something else.
Hope that helps. |
|
| Back to top |
|
|
alwyn
Tux's lil' helper
Joined: 21 May 2003
Posts: 140
|
| Posted: Thu Apr 21, 2005 2:19 am Post subject: |
|
|
I am using it for multiple purposes:
1) Subversion authentication
2) XPlanner authentication
3) Authentication to a chrooted cvs accessible only vir ssh and using PAM.
So a password can actually expire without the user ever accessing a shell.
Is it possible to set up a system so that when he changes his password with passwd, it updates LDAP? |
|
| Back to top |
|
|
arch4nge1
n00b
Joined: 11 Aug 2004
Posts: 57
|
| Posted: Thu Apr 21, 2005 10:43 pm Post subject: |
|
|
I believe it can be done using passwd in PAM (/etc/pam.d/passwd). However, I've not researched enough into it. I've only done it for system-auth so it blankets every other authentication mechanism.
Hope that helps.
Cheers |
|
| Back to top |
|
|
dannysauer
n00b
Joined: 23 Sep 2004
Posts: 60
Location: Lincoln, IL
|
| Posted: Tue Apr 26, 2005 3:28 pm Post subject: |
|
|
If you set up nss_ldap and pam_ldap following any one of the milions of howtos out there, and are using a recent distro (an up-to-date Gentoo is recent), just using "passwd" will magically update the password in LDAP.
Or, you could head to Freshmeat and get one of the tools up there. I wrote a CGI script that does it, but the server hosting it is down right now due to major troubles at the ISP (grrr). |
|
| Back to top |
|
|
ck84
n00b
Joined: 25 Apr 2005
Posts: 6
|
| Posted: Thu Apr 28, 2005 5:16 pm Post subject: |
|
|
Im can login via ssh and so on and ldap works great and i have this in /etc/pam.d/passwd
| Code: | auth required /lib/security/pam_stack.so service=system-auth
auth sufficient /lib/security/pam_ldap.so use_first_pass debug
account required /lib/security/pam_stack.so service=system-auth
account sufficient /lib/security/pam_ldap.so use_first_pass debug
password required /lib/security/pam_stack.so service=system-auth
password sufficient /lib/security/pam_ldap.so use_first_pass use_authtok |
but when i do:
passwd username i get this error:
| Code: |
$ passwd
Enter login(LDAP) password:
New UNIX password:
Retype new UNIX password:
LDAP password information update failed: Unknown error
use bind to verify old password
LDAP password information update failed: Unknown error
use bind to verify old password
passwd: Permission denied
|
any1 got any idea ?
here are ma acl's from /etc/openldap/slapd.conf
| Code: |
# Users can change their shell, anyone else can see it
access to attr=loginShell
by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
by self write
by * read
# Only the user can see their employeeNumber
access to attr=employeeNumber
by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
by self read
by * none
# User can change PW
access to attrs=gecos,description,loginShell
by self write
# Only root/Manager can see user pass in plain
access to attrs="userPassword"
by dn="uid=root,ou=people,dc=mydomain,dc=de" write
by anonymous auth
by self write
by * none
# Default read access for everything else
access to *
by dn.regex="uid=.*/admin,cn=GSSAPI,cn=auth" write
by * read |
|
|
| Back to top |
|
|
|
Networking & Security
