[TriLUG] poppassd and ldap
Mark Turner
markt at siteseers.net
Tue Jan 7 22:29:21 EST 2003
Proxy users are for wusses. Binds should be done by the real user, or
You're Doing It Wrong. :-)
Ldap is complaining that the password provided by poppasswd doesn't
match the one in the LDAP directory for the user. Pam_LDAP binds as a
user in order to retrieve certain privileged fields, such as
userPassword (at least, it should if you have properly set up your
access control lists in /etc/openldap/slapd.conf. And you HAVE set them
up, right?).
I suggest you test the supplied password using ldapsearch, doing
something like this:
ldapsearch -x -D "uid=user,ou=People,o=silex technologies;c=us" -W
"uid=user,ou=People,o=silex technologies;c=us" userPassword
If the user's supplied password is correct, you should get LDAP's
userPassword entry for that person. This should be the same query that
poppasswd is performing.
Seeing that the bottom of the poppasswd page says "poppasswd is run as
root in order to change passwords," I'm not sure it will really play
nicely with LDAP. Very few Googles seem to mention them together:
http://www.google.com/search?q=poppasswd+ldap+bind&hl=en&lr=&ie=UTF-8&start=0&sa=N
Mark
Tanner Lovelace wrote:
>Ah, that makes sense. Running the passwd command as root when using
>local files will work fine, but ldap has it's own access control
>system. You could check into setting up a proxy user, but that's
>getting way beyond my knowledge of ldap. Anyone else have any
>suggestions?
>
>
--
Mark Turner Siteseers Inc.
www.markturner.net Open Source Solutions
www.siteseers.net
More information about the TriLUG
mailing list