Hi,
as I described in my previous thread[1], I have a web frontend tool, where user can modify its own password - here the password is a set of passwd attributes: userPassword, sambaNTPassword, sambaLMPassword.
Is there any way that when I give access to users to modify its own password, and the user wants to modify it through LDAP(S), instead of out web frontend, the samba passwords also updated (with correct hash algorithm)?
I've found that the password policy and history should handle inside of OpenLDAP, only this feature missing.
I've also found slapo-shell and slapo-sock overlays, but as I interpret those mechanism, they sends the client request to an external software, so when I want to change the userPassword, the slapd send this request to the external tool, which sends a modify request to slapd, which sends the request to external tool, whcih.... Em I right?
Or should I use some filter to exclude, which requests sending to external program and which not?
Is there any solution for this request?
Thanks,
a.
[1]: https://www.openldap.org/lists/openldap-technical/201809/msg00021.html
Ervin Hegedüs wrote:
Use the smbk5pwd overlay.
Is there any solution for this request?
Hi,
On Thu, Sep 20, 2018 at 02:11:43PM +0100, Howard Chu wrote:
I've tried it:
dn: cn=module,cn=config cn: module objectClass: olcModuleList olcModulePath: /usr/lib/ldap/ olcModuleLoad: smbk5pwd
dn: olcOverlay=smbk5pwd,olcDatabase={1}mdb,cn=config changetype: add objectClass: olcSmbK5PwdConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: smbk5pwd olcSmbK5PwdEnable: samba
but when I changed the userPassword, the sambaNTPassword and sambaLMPassword attributes doesn't changed.
What did I missed?
thanks,
a.
Le 23/09/2018 à 21:22, Ervin Hegedüs a écrit :
smbk5pwd overlay only works if password change has been made with extended password modify operation (this operation is done with ldappasswd, not with ldapmodify).
Hi,
thanks Clément,
On Sun, Sep 23, 2018 at 10:24:28PM +0200, Clément OUDOT wrote:
[...]
meanwhile I found that, before I saw your e-mail.
Anyway, is that any solution to prevent that the users modify their passwords with only ldappasswd (if it knows how does it works), and deny the using of ldapmodify? I mean can I configure OpenLDAP ACL rules for this?
Thanks,
a.
openldap-technical@openldap.org
-
Clément OUDOT -
Ervin Hegedüs -
Howard Chu