[TriLUG] poppassd and ldap

Ben Simpson ben at silextech.com
Wed Jan 8 08:24:02 EST 2003 

My original problem is trying to find a good way that my internet users 
can change their passwords on my website.  IMP has a way to do this and 
it uses a PHP script that communicates with poppassd.  poppassd changes 
the password using passwd as root.  passwd uses PAM to communicate with 
LDAP.

I can use passwd to change the ldap password from my SUSE workstation. 
 I go to the server and try passwd there.  No go I get access denied and 
permission problems.  
So.   It looks like LDAP is not the problem.  Because it would have 
failed both test.  So the only other thing is the /etc/pam.d/passwd 
configuration file is not right.  I have tried all day yesterday to 
figure out what is wrong with it.   The server is running debian btw.
So i compare the passwd file on the server with the one on my 
workstation.    I found that my workstation is using pam_unix2.so and 
the server is using pam_unix.so and pam_ldap.so.   So i copy the 
pam_unix2.so to the server and type in the same thing on the server as 
the workstation's passwd file.   It just gives me module not found 
messages.   And i have triple checked the spelling.  Arggg.

So is there a better way to change the password over the web than this?
Ben
Mark Turner wrote:

> Proxy users are for wusses. Binds should be done by the real user, or 
> You're Doing It Wrong. :-)
>
> Ldap is complaining that the password provided by poppasswd doesn't 
> match the one in the LDAP directory for the user. Pam_LDAP binds as a 
> user in order to retrieve certain privileged fields, such as 
> userPassword (at least, it should if you have properly set up your 
> access control lists in /etc/openldap/slapd.conf. And you HAVE set 
> them up, right?).
>
> I suggest you test the supplied password using ldapsearch, doing 
> something like this:
>
> ldapsearch -x  -D "uid=user,ou=People,o=silex technologies;c=us"  -W 
> "uid=user,ou=People,o=silex technologies;c=us" userPassword
>
> If the user's supplied password is correct, you should get LDAP's 
> userPassword entry for that person.  This should be the same query 
> that poppasswd is performing.
>
> Seeing that the bottom of the poppasswd page says "poppasswd is run as 
> root in order to change passwords," I'm not sure it will really play 
> nicely with LDAP. Very few Googles seem to mention them together:
>
> http://www.google.com/search?q=poppasswd+ldap+bind&hl=en&lr=&ie=UTF-8&start=0&sa=N 
>
>
> Mark
>
> Tanner Lovelace wrote:
>
>> Ah, that makes sense.  Running the passwd command as root when using
>> local files will work fine, but ldap has it's own access control
>> system.  You could check into setting up a proxy user, but that's
>> getting way beyond my knowledge of ldap.  Anyone else have any 
>> suggestions?
>>  
>>

-- 
Ben Simpson, MCSE
Systems Engineer
Voice and Fax Number: 1-877-718-7627 x401

Silex Technologies
http://www.silextech.com

More information about the TriLUG mailing list