Scratching my head over passwd- >LDAP 2006-06-07 - By Sharpe, Sam J
Back
> Sorry, I was basing my input on a previous post that it
> wasn't working under Solaris and my personal experience that
> it is not supported under HP-UX. I did not say it didn't
> work, I said "I am not aware...".
Post-pub cheekiness set in - I wasn't meaning to cause offence ;o)
> o Support for changing passwords in LDAP, optionally
> with NDS or Active Directory servers
Ahhh - I've never tried an LDAP password change against an AD server -
What I do is elegant but different.
I have an OpenLDAP directory, it syncs every hour with our master user
database (only 40,000 accounts!) which also pushes to our AD. Passwords
aren't actually stored in LDAP, they are SASL{username} which forces a
SASL transaction with the LDAP servers. Saslauthd is configured via PAM
to actually do krb5 to AD (hence password changes either go krb5 from
client to AD or ldap client to ldap server to krb5 against AD) I don't
think I'd ever convince my Windows Running Colleagues to let me extend
the AD LDAP schema to run some of our custom apps.
> Since I work in a mixed environment, and we have our own
> password filtering tool written in perl, I did not test it
> further on Linux.
Yeah, you should try getting Solaris to work with SASL password - it's
ummm... Annoying.
> Additionally, I am fully aware of the "password" entries in
> PAM - the same exists on HP-UX, too, but it still doesn't work.
Again, cheekiness - sorry for the implication.
> -- --Original Message-- --
> From: nahant-list-bounces@(protected)
> [mailto:nahant-list-bounces@(protected)] On Behalf Of Sharpe, Sam J
> Sent: Tuesday, June 06, 2006 4:27 PM
> To: Red Hat Enterprise Linux 4 (Nahant) Discussion List
> Cc: Discussion of Red Hat Enterprise Linux 3 (Taroon)
> Subject: Re: Scratching my head over passwd->LDAP
>
> On 6 Jun 2006, at 22:24, Collins, Kevin [MindWorks] wrote:
> > I'm not aware of the traditional passwd command working
> anywhere with
> > LDAP. Use 'ldappasswd'...
>
> passwd is fully PAM enabled. A password change evokes the PAM
> password service, which does whatever you configure it to do.
> In my case that is attempt a Kerberos password change against
> AD, if not fall back to an LDAPS password change.
>
> To quote the PAM manpage:
>
> " password - this group's responsibility is the task of
> updating authen-
> tication mechanisms. Typically, such services are
> strongly
> coupled to
> those of the auth group. Some authentication
> mechanisms lend themselves
> well to being updated with such a function. Standard
> UN*X
> password-
> based access is the obvious example: please enter a
> replacement pass-
> word."
>
> Out of interest, what did you think this PAM directive was for?
>
> Just because you don't know about it doesn't mean it can't happen...
> Book a flight to London and I'll demo a password change on my
> Linux workstation and Windows desktop for you ;o)
>
> --
> Sam
>
> --
> nahant-list mailing list
> nahant-list@(protected)
> https://www.redhat.com/mailman/listinfo/nahant-list
>
>
>
> --
> nahant-list mailing list
> nahant-list@(protected)
> https://www.redhat.com/mailman/listinfo/nahant-list
>
--
Taroon-list mailing list
Taroon-list@(protected)
https://www.redhat.com/mailman/listinfo/taroon-list
|
|
