From owner-freebsd-questions@FreeBSD.ORG Tue Oct 2 06:54:10 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B527616A469 for ; Tue, 2 Oct 2007 06:54:10 +0000 (UTC) (envelope-from jonathan+freebsd-questions@hst.org.za) Received: from hermes.hst.org.za (onix.hst.org.za [209.203.2.133]) by mx1.freebsd.org (Postfix) with ESMTP id D3BA613C480 for ; Tue, 2 Oct 2007 06:54:08 +0000 (UTC) (envelope-from jonathan+freebsd-questions@hst.org.za) Received: from sysadmin.hst.org.za (sysadmin.int.dbn.hst.org.za [10.1.1.20]) (authenticated bits=0) by hermes.hst.org.za (8.13.8/8.13.8) with ESMTP id l926mVCQ036863 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NO); Tue, 2 Oct 2007 08:48:32 +0200 (SAST) (envelope-from jonathan+freebsd-questions@hst.org.za) From: Jonathan McKeown Organization: Health Systems Trust To: "Brian A. Seklecki" Date: Tue, 2 Oct 2007 08:57:04 +0200 User-Agent: KMail/1.7.2 References: <46FCDD68.6030901@zedat.fu-berlin.de> <200710010856.44860.jonathan@hst.org.za> <20071001142854.I34346@arbitor.digitalfreaks.org> In-Reply-To: <20071001142854.I34346@arbitor.digitalfreaks.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Message-Id: <200710020857.04541.jonathan+freebsd-questions@hst.org.za> X-Spam-Score: -4.272 () ALL_TRUSTED,AWL,BAYES_00 X-Scanned-By: MIMEDefang 2.61 on 209.203.2.133 Cc: freebsd-questions@freebsd.org Subject: Re: passwd(1) and LDAP (was Re: FreeBSD 7.0, Open LDAP, PAM, TLS and NSS, howto?) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 02 Oct 2007 06:54:10 -0000 On Monday 01 October 2007 20:29, Brian A. Seklecki wrote: > On Mon, 1 Oct 2007, Jonathan McKeown wrote: > > The passwd(1) program was rewritten some time ago to use PAM, but a test > > was left in which prevents it doing so. I have asked, both on this list > > and on freebsd-hackers in the last few weeks, whether there is any reas= on > > other than historical to leave this test in, and been deafened by the > > silence. There are a couple of PRs either open or suspended regarding > > this issue. > > > > I diked out the whole switch statement and replaced it with a single > > printf, and it works for changing LDAP passwords. I haven't thoroughly > > tested to see if it causes any other problems. > > Does it log in as the LDAP user or the PAM super-user to do the attribute > change? I'll check out the source...but that's great news. ~BAS =46rom what I remember you have to add some additional configuration in the= =20 pam_ldap config file - pam_password exop seems to ring a bell - which tells= =20 pam_ldap to use the RFC3062 Password Modify extended operation. I think it= =20 does it as the user who owns the password so you need something like access to attrs=3DuserPassword by self write by * auth in slapd.conf. I was actually fiddling with this to try and get pam_pGINA working: if anyo= ne=20 has had any joy with that I'd be interested to hear about it. Jonathan