And make sure pam_ldap is ref'd in your 'password' pam file (CentOS 5.4: just do it in /etc/pam.d/system-auth).
- chris
Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661 email: chris.jacobs@apollogrp.edu
----- Original Message ----- From: openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.org To: openldap-technical@openldap.org openldap-technical@openldap.org Cc: weigao88@gmail.com weigao88@gmail.com Sent: Tue Aug 03 04:31:29 2010 Subject: Re: Change User Password (passwd vs. ldappasswd)
On Monday, 2 August 2010 21:34:41 weigao88@gmail.com wrote:
Hi,
I have set up and configured openldap 2.3 servers (master-slave) that comes with CentOS 5.4. I use openldap to centralize Linux/Unix user account management. Everything works as expected. However, I am confused about changing user password. Without LDAP, we use file-based authentication (/etc/passwd and /etc/shadow), so users can change their password via "passwd" command. Now I have migrated all my users to LDAP with default password policy, users can still use passwd command to change the password, but LDAP password policy is not enforced, for example, my ldap password policy has a minimum password length requirement of 12, and I am able to change user password to something less than 12 characters.
Consider how ldappasswd changes the password, and compare it to how your pam_ldap is configured to change the password.
In this case, most likely, you have pam_ldap configured to hash the new value for userPassword before sending it to the LDAP server as the new value. So, the LDAP server doesn't see the clear text, only the hash, thus it can't enforce any quality controls on the password, as it only gets the hash.
However, if users use "ldappasswd -x -vv -S -W -D uid=user1,ou=People,dc=IT,dc=Company" to change their password, the LDAP password policy will be enforced, ie they will not allow to change to a password less than 12 characters.
In this case, the LDAP client is providing the new password in clear text (so, you should have transport encryption in place).
Are the users supposed to use passwd OR ldappasswd command to change their password? It's very inconvenient for users to use ldappassword command to change password as you can see they have to do much more typing, and some novice users are not even aware of ldappasswd command. I am confused here. Any help would be greatly appreciated.
You need to configure your pam_ldap to do a password change via extended operation, by setting:
pam_password exop
in /etc/ldap.conf
Regards, Buchan
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.