passwd(1) and LDAP (was Re: FreeBSD 7.0, Open LDAP, PAM, TLS and NSS, howto?)

Jonathan McKeown jonathan+freebsd-questions at
Mon Oct 1 23:54:10 PDT 2007

On Monday 01 October 2007 20:29, Brian A. Seklecki wrote:
> On Mon, 1 Oct 2007, Jonathan McKeown wrote:
> > The passwd(1) program was rewritten some time ago to use PAM, but a test
> > was left in which prevents it doing so. I have asked, both on this list
> > and on freebsd-hackers in the last few weeks, whether there is any reason
> > other than historical to leave this test in, and been deafened by the
> > silence. There are a couple of PRs either open or suspended regarding
> > this issue.
> >
> > I diked out the whole switch statement and replaced it with a single
> > printf, and it works for changing LDAP passwords. I haven't thoroughly
> > tested to see if it causes any other problems.
> Does it log in as the LDAP user or the PAM super-user to do the attribute
> change?  I'll check out the source...but that's great news.  ~BAS

From what I remember you have to add some additional configuration in the 
pam_ldap config file - pam_password exop seems to ring a bell - which tells 
pam_ldap to use the RFC3062 Password Modify extended operation. I think it 
does it as the user who owns the password so you need something like

access to attrs=userPassword
    by self write
    by * auth

in slapd.conf.

I was actually fiddling with this to try and get pam_pGINA working: if anyone 
has had any joy with that I'd be interested to hear about it.


More information about the freebsd-questions mailing list