LDAP Authentication

Dieter Kluenter dieter at dkluenter.de
Thu Nov 20 20:43:56 UTC 2008 

Toby Burress <kurin at delete.org> writes:

> On Thu, Nov 20, 2008 at 04:52:17PM +0100, Dieter Kluenter wrote:
>> Hi,
>> I just stumpled upon
>> http://www.freebsd.org/doc/en/articles/ldap-auth/client.html
>> 
>> In examples 7 you are presenting a ruby script to modify a
>> userpassword. In this script you use some sort of ldapmodify to change
>> the password value. This is a NO NO. Never modify a password this
>> way and please do not propagate this.
>> The proper way is to call the extended operation passwordModify
>> (RFC-3062). The shell script of example 6 calls ldappasswd(1), which
>> calls this extended operation.
>
> Unfortunately it doesn't look like ruby-ldap supports RFC-3062.
> This specific example, iirc, was adapted from a script I wrote to
> modify passwords in an Active Directory server, which requires a
> specific (crazy) kind of ldapmodify.

I gave up unsing ruby, as the 2 available modules, net-ldap and
ruby-ldap are not actively maintained. As far as I remember both
modules were able to call controls.
AD doesn't store passwords, authentication is handeled by kerberos. At
least the few AD's I had to integrate.
>
> However, from the RFC it looks like this extension is specifically
> to allow the directory to manage the password backend even when
> such backend isn't the directory itself (which my article doesn't
> cover).  While I'll add a section about this and the passwordModify
> operation, I think it is not terrible to use ldapModify to change
> passwords, as long as (a) the users are in fact kept in the directory,
> and (b) the admin is aware that he'll have to change his scripts
> if that changes in the future.

Well you may do what ever you want in your own network, but as a
official FreeBSD publication, it should refer to the standards and
best practice rules. This documentation is aimed at people who are new
to FreeBSD and to OpenLDAP and it should be our mutual aim to present
samples best practice and compliance.
We at OpenLDAP suffer from bad written docs that are spread all over
the net.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://www.dpunkt.de/buecher/2104.html
sip: +49.180.1555.7770535
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E

More information about the freebsd-doc mailing list