Re: Question on potential workaround for supporting password change on non-compliant RFC 3062 LDAP server.
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
Re: Question on potential workaround for supporting password change on non-compliant RFC 3062 LDAP server.
- From: Arthur de Jong <arthur [at] arthurdejong.org>
- To: John Taisto <jrtaisto [at] gmail.com>, nss-pam-ldapd-users [at] lists.arthurdejong.org
- Subject: Re: Question on potential workaround for supporting password change on non-compliant RFC 3062 LDAP server.
- Date: Fri, 15 Jun 2018 17:59:31 +0200
On Thu, 2018-06-14 at 15:13 -0400, John Taisto wrote:
> I was wondering if there is a workaround for this issue or if you
> basically have to move to RFC 3062 compliant LDAP server to get the
> password update functionality to work.
The only password modification function that nss-pam-ldapd supported
was the EXOP password modification. If could be that previously CentOS
still shipped the old PADL pam_ldap module that supported more forms of
password change.
You should still be able to compile the PADL pam_ldap module for your
system and use that. I think the PAM module can be renamed (unlike the
NSS module) so it should be reasonably safe to use it just for password
changes.
I would either use it for all operations (a full replacement for the
pam_ldap module from nss-pam-ldapd) or use it for the password
command. When you perform a password change the first step is
authentication. For pam_ldap those credentials are provided to the LDAP
server for the actual password change operation so I'm not 100% sure it
will work as expected if you use nss-pam-ldapd's pam_ldap for
authentication and PADL's pam_ldap for password change within the same
command.
--
-- arthur - arthur@arthurdejong.org - https://arthurdejong.org/ --
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/
