Date: Thu, 20 Nov 2008 13:48:03 -0500 From: Toby Burress <kurin@delete.org> To: Dieter Kluenter <dieter@dkluenter.de> Cc: freebsd-doc@freebsd.org Subject: Re: LDAP Authentication Message-ID: <20081120184803.GA60958@lithium.delete.org> In-Reply-To: <87myfufl8u.fsf@rubin.l4b.de> References: <87myfufl8u.fsf@rubin.l4b.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 20, 2008 at 04:52:17PM +0100, Dieter Kluenter wrote: > Hi, > I just stumpled upon > http://www.freebsd.org/doc/en/articles/ldap-auth/client.html > > In examples 7 you are presenting a ruby script to modify a > userpassword. In this script you use some sort of ldapmodify to change > the password value. This is a NO NO. Never modify a password this > way and please do not propagate this. > The proper way is to call the extended operation passwordModify > (RFC-3062). The shell script of example 6 calls ldappasswd(1), which > calls this extended operation. Unfortunately it doesn't look like ruby-ldap supports RFC-3062. This specific example, iirc, was adapted from a script I wrote to modify passwords in an Active Directory server, which requires a specific (crazy) kind of ldapmodify. However, from the RFC it looks like this extension is specifically to allow the directory to manage the password backend even when such backend isn't the directory itself (which my article doesn't cover). While I'll add a section about this and the passwordModify operation, I think it is not terrible to use ldapModify to change passwords, as long as (a) the users are in fact kept in the directory, and (b) the admin is aware that he'll have to change his scripts if that changes in the future.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081120184803.GA60958>