From owner-freebsd-questions@FreeBSD.ORG  Mon Oct  1 06:53:51 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D446416A417
	for <freebsd-questions@freebsd.org>;
	Mon,  1 Oct 2007 06:53:51 +0000 (UTC)
	(envelope-from jonathan@hst.org.za)
Received: from hermes.hst.org.za (onix.hst.org.za [209.203.2.133])
	by mx1.freebsd.org (Postfix) with ESMTP id 0E04113C458
	for <freebsd-questions@freebsd.org>;
	Mon,  1 Oct 2007 06:53:49 +0000 (UTC)
	(envelope-from jonathan@hst.org.za)
Received: from sysadmin.hst.org.za (sysadmin.int.dbn.hst.org.za [10.1.1.20])
	(authenticated bits=0)
	by hermes.hst.org.za (8.13.8/8.13.8) with ESMTP id l916mGVp072317
	(version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO);
	Mon, 1 Oct 2007 08:48:17 +0200 (SAST)
	(envelope-from jonathan@hst.org.za)
From: Jonathan McKeown <jonathan@hst.org.za>
Organization: Health Systems Trust
To: freebsd-questions@freebsd.org
Date: Mon, 1 Oct 2007 08:56:44 +0200
User-Agent: KMail/1.7.2
References: <46FCDD68.6030901@zedat.fu-berlin.de>
	<1190989759.2994.26.camel@new-host>
In-Reply-To: <1190989759.2994.26.camel@new-host>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200710010856.44860.jonathan@hst.org.za>
X-Spam-Score: -4.171 () ALL_TRUSTED,AWL,BAYES_00
X-Scanned-By: MIMEDefang 2.61 on 209.203.2.133
Cc: "O. Hartmann" <ohartman@zedat.fu-berlin.de>,
	"Brian A. Seklecki" <lavalamp@spiritual-machines.org>
Subject: passwd(1) and LDAP (was Re: FreeBSD 7.0, Open LDAP, PAM, TLS and NSS,
	howto?)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Oct 2007 06:53:51 -0000

On Friday 28 September 2007 16:29, Brian A. Seklecki wrote:
> FreeBSD 5.x and 6.x work fine with both PAM and NSS -> LDAP w/ TLS
> (PKI).
>
> All other services (RADIUS, Apache ((mod_ldap, mod_pam_auth), PHP,
> interactive shell, SFTP, etc.) can be tied into LDAP either directly or
> via PAM.
>
> As for password change, I don't know if anyone has a passwd(1) binary
> that properly changes the LDAP password attribute -- if there is and its
> out there, it requires ACL insanity.

The passwd(1) program was rewritten some time ago to use PAM, but a test was 
left in which prevents it doing so. I have asked, both on this list and on 
freebsd-hackers in the last few weeks, whether there is any reason other than 
historical to leave this test in, and been deafened by the silence. There are 
a couple of PRs either open or suspended regarding this issue.

I diked out the whole switch statement and replaced it with a single printf, 
and it works for changing LDAP passwords. I haven't thoroughly tested to see 
if it causes any other problems.

Jonathan