Date: Thu, 20 Nov 2008 21:17:12 +0100 From: "Dieter Kluenter" <dieter@dkluenter.de> To: Toby Burress <kurin@delete.org> Cc: freebsd-doc@freebsd.org Subject: Re: LDAP Authentication Message-ID: <87bpwatanr.fsf@rubin.l4b.de> In-Reply-To: <20081120184803.GA60958@lithium.delete.org> (Toby Burress's message of "Thu, 20 Nov 2008 13:48:03 -0500") References: <87myfufl8u.fsf@rubin.l4b.de> <20081120184803.GA60958@lithium.delete.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Toby Burress <kurin@delete.org> writes: > On Thu, Nov 20, 2008 at 04:52:17PM +0100, Dieter Kluenter wrote: >> Hi, >> I just stumpled upon >> http://www.freebsd.org/doc/en/articles/ldap-auth/client.html >>=20 >> In examples 7 you are presenting a ruby script to modify a >> userpassword. In this script you use some sort of ldapmodify to change >> the password value. This is a NO NO. Never modify a password this >> way and please do not propagate this. >> The proper way is to call the extended operation passwordModify >> (RFC-3062). The shell script of example 6 calls ldappasswd(1), which >> calls this extended operation. > > Unfortunately it doesn't look like ruby-ldap supports RFC-3062. > This specific example, iirc, was adapted from a script I wrote to > modify passwords in an Active Directory server, which requires a > specific (crazy) kind of ldapmodify. I gave up unsing ruby, as the 2 available modules, net-ldap and ruby-ldap are not actively maintained. As far as I remember both modules were able to call controls. AD doesn't store passwords, authentication is handeled by kerberos. At least the few AD's I had to integrate. > > However, from the RFC it looks like this extension is specifically > to allow the directory to manage the password backend even when > such backend isn't the directory itself (which my article doesn't > cover). While I'll add a section about this and the passwordModify > operation, I think it is not terrible to use ldapModify to change > passwords, as long as (a) the users are in fact kept in the directory, > and (b) the admin is aware that he'll have to change his scripts > if that changes in the future. Well you may do what ever you want in your own network, but as a official FreeBSD publication, it should refer to the standards and best practice rules. This documentation is aimed at people who are new to FreeBSD and to OpenLDAP and it should be our mutual aim to present samples best practice and compliance. We at OpenLDAP suffer from bad written docs that are spread all over the net. -Dieter --=20 Dieter Kl=C3=BCnter | Systemberatung http://www.dpunkt.de/buecher/2104.html sip: +49.180.1555.7770535 GPG Key ID:8EF7B6C6 53=C2=B008'09,95"N 10=C2=B008'02,42"E
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87bpwatanr.fsf>