I'm used to being able to change user's passwords as root using the "passwd" command on my main server (this was with NIS and the master shadow file kept on the server). Now with FDS, I get:
# passwd orion Changing password for user orion. Enter login(LDAP) password:
and I must enter the password for the user "orion". This gets tricky when the user has forgotten their password.
Is there a way to avoid this first check and allow root to force a change of the password?
I use a program called LDAP Administration Tool (available in debian apt repo, name = 'lat') which is a gtk app that allows LDAP administration. Simply connect as 'directory manager' and you can change passwords through the interface without needing to know the previous password.
Ryan Manikowski
System Administrator 2ergo Americas Inc.
:703.677.8499: www.2ergo.com Arlington, Virginia
This message (including attachments) is confidential and may be legally privileged. The content and views expressed are those of the sender and not necessarily the 2ergo Group. If you are not the intended recipient, you must not disclose, copy or use any part of it. Please delete all copies immediately and notify the sender. 2ergo Americas Inc. was formerly known as Proteus Inc.
Orion Poplawski wrote:
I'm used to being able to change user's passwords as root using the "passwd" command on my main server (this was with NIS and the master shadow file kept on the server). Now with FDS, I get:
# passwd orion Changing password for user orion. Enter login(LDAP) password:
and I must enter the password for the user "orion". This gets tricky when the user has forgotten their password.
Is there a way to avoid this first check and allow root to force a change of the password?
Orion Poplawski wrote:
I'm used to being able to change user's passwords as root using the "passwd" command on my main server (this was with NIS and the master shadow file kept on the server). Now with FDS, I get:
# passwd orion Changing password for user orion. Enter login(LDAP) password:
and I must enter the password for the user "orion". This gets tricky when the user has forgotten their password.
Is there a way to avoid this first check and allow root to force a change of the password?
I don't think so. "root" usually does not exist in LDAP, only in /etc/passwd, so "root" is not really an LDAP user. I suppose you could use ldappasswd and bind as "cn=directory manager" instead if you know the user is an LDAP user.
You could also use the console (export $DISPLAY etc.)
http://directory.fedoraproject.org/
'... Graphical console for all facets of user, group, and server management ...'
It's been a while since I've looked at it, but, you may want to investigate the Directory Server Gateway DSGW
http://www.directory.fedora.redhat.com/wiki/DSGW_Install_Guide
Lastly, does anyone have an interesting application that allows users to request a new password via a Web interface and a subsequent Email ?
Cheers, Dave --------> Date: Thu, 11 Dec 2008 16:53:21 -0700> From: rmeggins@redhat.com> To: fedora-directory-users@redhat.com> Subject: Re: [Fedora-directory-users] Allow root to change user's passwords> > Orion Poplawski wrote:> > I'm used to being able to change user's passwords as root using the > > "passwd" command on my main server (this was with NIS and the master > > shadow file kept on the server). Now with FDS, I get:> >> > # passwd orion> > Changing password for user orion.> > Enter login(LDAP) password:> >> > and I must enter the password for the user "orion". This gets tricky > > when the user has forgotten their password.> >> > Is there a way to avoid this first check and allow root to force a > > change of the password?> I don't think so. "root" usually does not exist in LDAP, only in > /etc/passwd, so "root" is not really an LDAP user. I suppose you could > use ldappasswd and bind as "cn=directory manager" instead if you know > the user is an LDAP user. _________________________________________________________________
On Thursday 11 December 2008 23:38, Orion Poplawski wrote:
I'm used to being able to change user's passwords as root using the "passwd" command on my main server (this was with NIS and the master shadow file kept on the server). Now with FDS, I get:
# passwd orion Changing password for user orion. Enter login(LDAP) password:
and I must enter the password for the user "orion". This gets tricky when the user has forgotten their password.
Is there a way to avoid this first check and allow root to force a change of the password?
I know it's possible, here is the way my setup (etch) works. It's likely a PAM issue.
xxxfcst2:~# passwd ryantest New password: Re-enter new password: LDAP password information changed for ryantest passwd: password updated successfully xxxfcst2:~# grep ryantest /etc/passwd xxxfcst2:~# getent passwd|grep ryan ryantest:x:10058:5000:cfwx Account:/tmp/ryantest:/bin/bash
ytrfcst2:/etc/pam.d# grep -v ^# common* common-account:account sufficient pam_ldap.so common-account:account required pam_unix.so common-auth:auth sufficient pam_ldap.so common-auth:auth required pam_unix.so nullok_secure use_first_pass common-password: common-password: common-password:password sufficient pam_ldap.so ignore_unknown_user common-password:password required pam_unix.so nullok obscure min=4 max=8 md5 common-password: common-password: common-session:session required pam_unix.so common-session:session optional pam_ldap.so
xxxfcst2:/etc/pam.d# grep -v ^# passwd
@include common-password
xxxfcst2:/etc/pam.d#
And lastly pam_ldap.conf
xxxfcst2:/etc# grep -v ^# pam_ldap.conf |strings @(#)$Id: ldap.conf,v 2.47 2006/05/15 08:13:44 lukeh Exp $ base dc=xxx,dc=ec,dc=gc,dc=ca uri ldap://xxxoff.isb.ec.gc.ca uri ldap://xxxoff0.isb.ec.gc.ca uri ldap://xxxoff1.isb.ec.gc.ca ldap_version 3 rootbinddn cn=directory manager pam_check_host_attr yes pam_password exop ssl start_tls tls_cacertdir /etc/ldap/cacerts
Orion Poplawski wrote:
I'm used to being able to change user's passwords as root using the "passwd" command on my main server (this was with NIS and the master shadow file kept on the server). Now with FDS, I get:
# passwd orion Changing password for user orion. Enter login(LDAP) password:
and I must enter the password for the user "orion". This gets tricky when the user has forgotten their password.
Is there a way to avoid this first check and allow root to force a change of the password?
The answer is to set rootbinddn in /etc/ldap.conf and put the directory manager password into /etc/ldap.secret.
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
389-users@lists.fedoraproject.org