From owner-freebsd-questions@FreeBSD.ORG Mon Oct 1 18:29:40 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2636C16A417 for ; Mon, 1 Oct 2007 18:29:40 +0000 (UTC) (envelope-from lavalamp@spiritual-machines.org) Received: from mail.digitalfreaks.org (arbitor.digitalfreaks.org [216.151.95.158]) by mx1.freebsd.org (Postfix) with ESMTP id 06B8413C45B for ; Mon, 1 Oct 2007 18:29:39 +0000 (UTC) (envelope-from lavalamp@spiritual-machines.org) Received: by mail.digitalfreaks.org (Postfix, from userid 1022) id 1952817A60; Mon, 1 Oct 2007 14:29:39 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by mail.digitalfreaks.org (Postfix) with ESMTP id 1819E17A5F; Mon, 1 Oct 2007 14:29:39 -0400 (EDT) Date: Mon, 1 Oct 2007 14:29:38 -0400 (EDT) From: "Brian A. Seklecki" X-X-Sender: lavalamp@arbitor.digitalfreaks.org To: Jonathan McKeown In-Reply-To: <200710010856.44860.jonathan@hst.org.za> Message-ID: <20071001142854.I34346@arbitor.digitalfreaks.org> References: <46FCDD68.6030901@zedat.fu-berlin.de> <1190989759.2994.26.camel@new-host> <200710010856.44860.jonathan@hst.org.za> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: "O. Hartmann" , freebsd-questions@freebsd.org Subject: Re: passwd(1) and LDAP (was Re: FreeBSD 7.0, Open LDAP, PAM, TLS and NSS, howto?) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Oct 2007 18:29:40 -0000 Does it log in as the LDAP user or the PAM super-user to do the attribute change? I'll check out the source...but that's great news. ~BAS On Mon, 1 Oct 2007, Jonathan McKeown wrote: > On Friday 28 September 2007 16:29, Brian A. Seklecki wrote: >> FreeBSD 5.x and 6.x work fine with both PAM and NSS -> LDAP w/ TLS >> (PKI). >> >> All other services (RADIUS, Apache ((mod_ldap, mod_pam_auth), PHP, >> interactive shell, SFTP, etc.) can be tied into LDAP either directly or >> via PAM. >> >> As for password change, I don't know if anyone has a passwd(1) binary >> that properly changes the LDAP password attribute -- if there is and its >> out there, it requires ACL insanity. > > The passwd(1) program was rewritten some time ago to use PAM, but a test was > left in which prevents it doing so. I have asked, both on this list and on > freebsd-hackers in the last few weeks, whether there is any reason other than > historical to leave this test in, and been deafened by the silence. There are > a couple of PRs either open or suspended regarding this issue. > > I diked out the whole switch statement and replaced it with a single printf, > and it works for changing LDAP passwords. I haven't thoroughly tested to see > if it causes any other problems. > > Jonathan > l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ "Guilty? Yeah. But he knows it. I mean, you're guilty. You just don't know it. So who's really in jail?" ~Maynard James Keenan