Am Sat, 15 Feb 2014 16:28:34 -0600 (CST) schrieb Doug OLeary dkoleary@olearycomputers.com:
Hey;
Apparently, in my efforts to be brief, I didn't adequately outline the scenario. Users need to be able to change their own passwords once their account is configured in ldap and assigned an initial password. That's where pam comes in. Obviously, if I (or the user) change a user's account via ldap commands, pam restrictions.
I just verified that a test user can change his password to anything he wants via ldappasswd (bad... but have to have access to the command).
I also verified that the pam configuration affects password selection when the user is trying to change the password via the passwd command. (got that working both locally and via ldap).
So, I got the answer to my question and raised a bunch more potential issues that I'll have to ponder.
It is not PAM but the name service switch nss which can be configured to us ldap as credentials storage.
-Dieter