Hi,
as I described in my previous thread[1], I have a web frontend tool, where user can modify its own password - here the password is a set of passwd attributes: userPassword, sambaNTPassword, sambaLMPassword.
Is there any way that when I give access to users to modify its own password, and the user wants to modify it through LDAP(S), instead of out web frontend, the samba passwords also updated (with correct hash algorithm)?
I've found that the password policy and history should handle inside of OpenLDAP, only this feature missing.
I've also found slapo-shell and slapo-sock overlays, but as I interpret those mechanism, they sends the client request to an external software, so when I want to change the userPassword, the slapd send this request to the external tool, which sends a modify request to slapd, which sends the request to external tool, whcih.... Em I right?
Or should I use some filter to exclude, which requests sending to external program and which not?
Is there any solution for this request?
Thanks,
a.
[1]: https://www.openldap.org/lists/openldap-technical/201809/msg00021.html
Ervin Hegedüs wrote:
Hi,
as I described in my previous thread[1], I have a web frontend tool, where user can modify its own password - here the password is a set of passwd attributes: userPassword, sambaNTPassword, sambaLMPassword.
Is there any way that when I give access to users to modify its own password, and the user wants to modify it through LDAP(S), instead of out web frontend, the samba passwords also updated (with correct hash algorithm)?
Use the smbk5pwd overlay.
Is there any solution for this request?
Hi Howard,
On Thu, Sep 20, 2018 at 02:11:43PM +0100, Howard Chu wrote:
Ervin Hegedüs wrote:
Hi,
as I described in my previous thread[1], I have a web frontend tool, where user can modify its own password - here the password is a set of passwd attributes: userPassword, sambaNTPassword, sambaLMPassword.
Is there any way that when I give access to users to modify its own password, and the user wants to modify it through LDAP(S), instead of out web frontend, the samba passwords also updated (with correct hash algorithm)?
Use the smbk5pwd overlay.
thanks, I'll check it.
a.
Hi,
On Thu, Sep 20, 2018 at 02:11:43PM +0100, Howard Chu wrote:
Ervin Hegedüs wrote:
Hi,
as I described in my previous thread[1], I have a web frontend tool, where user can modify its own password - here the password is a set of passwd attributes: userPassword, sambaNTPassword, sambaLMPassword.
Is there any way that when I give access to users to modify its own password, and the user wants to modify it through LDAP(S), instead of out web frontend, the samba passwords also updated (with correct hash algorithm)?
Use the smbk5pwd overlay.
I've tried it:
dn: cn=module,cn=config cn: module objectClass: olcModuleList olcModulePath: /usr/lib/ldap/ olcModuleLoad: smbk5pwd
dn: olcOverlay=smbk5pwd,olcDatabase={1}mdb,cn=config changetype: add objectClass: olcSmbK5PwdConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: smbk5pwd olcSmbK5PwdEnable: samba
but when I changed the userPassword, the sambaNTPassword and sambaLMPassword attributes doesn't changed.
What did I missed?
thanks,
a.
Le 23/09/2018 à 21:22, Ervin Hegedüs a écrit :
Hi,
On Thu, Sep 20, 2018 at 02:11:43PM +0100, Howard Chu wrote:
Ervin Hegedüs wrote:
Hi,
as I described in my previous thread[1], I have a web frontend tool, where user can modify its own password - here the password is a set of passwd attributes: userPassword, sambaNTPassword, sambaLMPassword.
Is there any way that when I give access to users to modify its own password, and the user wants to modify it through LDAP(S), instead of out web frontend, the samba passwords also updated (with correct hash algorithm)?
Use the smbk5pwd overlay.
I've tried it:
dn: cn=module,cn=config cn: module objectClass: olcModuleList olcModulePath: /usr/lib/ldap/ olcModuleLoad: smbk5pwd
dn: olcOverlay=smbk5pwd,olcDatabase={1}mdb,cn=config changetype: add objectClass: olcSmbK5PwdConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: smbk5pwd olcSmbK5PwdEnable: samba
but when I changed the userPassword, the sambaNTPassword and sambaLMPassword attributes doesn't changed.
What did I missed?
smbk5pwd overlay only works if password change has been made with extended password modify operation (this operation is done with ldappasswd, not with ldapmodify).
Hi,
thanks Clément,
On Sun, Sep 23, 2018 at 10:24:28PM +0200, Clément OUDOT wrote:
Le 23/09/2018 à 21:22, Ervin Hegedüs a écrit :
On Thu, Sep 20, 2018 at 02:11:43PM +0100, Howard Chu wrote:
Use the smbk5pwd overlay.
I've tried it:
[...]
but when I changed the userPassword, the sambaNTPassword and sambaLMPassword attributes doesn't changed.
What did I missed?
smbk5pwd overlay only works if password change has been made with extended password modify operation (this operation is done with ldappasswd, not with ldapmodify).
meanwhile I found that, before I saw your e-mail.
Anyway, is that any solution to prevent that the users modify their passwords with only ldappasswd (if it knows how does it works), and deny the using of ldapmodify? I mean can I configure OpenLDAP ACL rules for this?
Thanks,
a.
hi,
On Sun, Sep 23, 2018 at 09:22:59PM +0200, Ervin Hegedüs wrote:
On Thu, Sep 20, 2018 at 02:11:43PM +0100, Howard Chu wrote:
Use the smbk5pwd overlay.
I've tried it:
dn: cn=module,cn=config cn: module objectClass: olcModuleList olcModulePath: /usr/lib/ldap/ olcModuleLoad: smbk5pwd
dn: olcOverlay=smbk5pwd,olcDatabase={1}mdb,cn=config changetype: add objectClass: olcSmbK5PwdConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: smbk5pwd olcSmbK5PwdEnable: samba
but when I changed the userPassword, the sambaNTPassword and sambaLMPassword attributes doesn't changed.
What did I missed?
ok, looks like it works also in case of PasswordModify Extended Option, like ppolicy overlay.
thanks,
a.
openldap-technical@openldap.org
-
Clément OUDOT -
Ervin Hegedüs -
Howard Chu