passwd(1) and LDAP (was Re: FreeBSD 7.0, Open LDAP, PAM,
TLS and NSS, howto?)
Jonathan McKeown
jonathan+freebsd-questions at hst.org.za
Mon Oct 1 23:54:10 PDT 2007
On Monday 01 October 2007 20:29, Brian A. Seklecki wrote:
> On Mon, 1 Oct 2007, Jonathan McKeown wrote:
> > The passwd(1) program was rewritten some time ago to use PAM, but a test
> > was left in which prevents it doing so. I have asked, both on this list
> > and on freebsd-hackers in the last few weeks, whether there is any reason
> > other than historical to leave this test in, and been deafened by the
> > silence. There are a couple of PRs either open or suspended regarding
> > this issue.
> >
> > I diked out the whole switch statement and replaced it with a single
> > printf, and it works for changing LDAP passwords. I haven't thoroughly
> > tested to see if it causes any other problems.
>
> Does it log in as the LDAP user or the PAM super-user to do the attribute
> change? I'll check out the source...but that's great news. ~BAS
From what I remember you have to add some additional configuration in the
pam_ldap config file - pam_password exop seems to ring a bell - which tells
pam_ldap to use the RFC3062 Password Modify extended operation. I think it
does it as the user who owns the password so you need something like
access to attrs=userPassword
by self write
by * auth
in slapd.conf.
I was actually fiddling with this to try and get pam_pGINA working: if anyone
has had any joy with that I'd be interested to hear about it.
Jonathan
More information about the freebsd-questions
mailing list