[TriLUG] poppassd and ldap

Jon Carnes jonc at nc.rr.com
Wed Jan 8 09:07:41 EST 2003 

For web-based password changes to remote systems I've used cgipaf (or
cgipasswd) based on an open source project by Stef Wagemakers.  It's
very cool and very easy to modify.  I modded it once to run a
stand-alone password changing script written in bash (that way the admin
could simply modify the bash script and not mess with changing the CGI).

If you can change passwords from a command line then you can get this to
work for you.

http://staf.patat.org/?lang=eng&top=prg

Some nice features are:
 - Records number of attempts and can lock-out or send admin warnings,
 - Limits attempts to users with UID greater than 400 (default setting);
so it can't be used to hack into a system account,
 - You can easily modify who can and cannot use the app to change their
password; including using a database to indicate valid users
 - Has been extended to allow users to modify other settings remotely
via the web like modifying personal procmail files, or vacation
messages.

Good Luck - Jon Carnes

On Wed, 2003-01-08 at 08:24, Ben Simpson wrote:
> My original problem is trying to find a good way that my internet users 
> can change their passwords on my website.  IMP has a way to do this and 
> it uses a PHP script that communicates with poppassd.  poppassd changes 
> the password using passwd as root.  passwd uses PAM to communicate with 
> LDAP.
> 
> I can use passwd to change the ldap password from my SUSE workstation. 
>  I go to the server and try passwd there.  No go I get access denied and 
> permission problems.  
> So.   It looks like LDAP is not the problem.  Because it would have 
> failed both test.  So the only other thing is the /etc/pam.d/passwd 
> configuration file is not right.  I have tried all day yesterday to 
> figure out what is wrong with it.   The server is running debian btw.
> So i compare the passwd file on the server with the one on my 
> workstation.    I found that my workstation is using pam_unix2.so and 
> the server is using pam_unix.so and pam_ldap.so.   So i copy the 
> pam_unix2.so to the server and type in the same thing on the server as 
> the workstation's passwd file.   It just gives me module not found 
> messages.   And i have triple checked the spelling.  Arggg.
> 
> So is there a better way to change the password over the web than this?
> Ben
> Mark Turner wrote:
> 
> > Proxy users are for wusses. Binds should be done by the real user, or 
> > You're Doing It Wrong. :-)
> >
> > Ldap is complaining that the password provided by poppasswd doesn't 
> > match the one in the LDAP directory for the user. Pam_LDAP binds as a 
> > user in order to retrieve certain privileged fields, such as 
> > userPassword (at least, it should if you have properly set up your 
> > access control lists in /etc/openldap/slapd.conf. And you HAVE set 
> > them up, right?).
> >
> > I suggest you test the supplied password using ldapsearch, doing 
> > something like this:
> >
> > ldapsearch -x  -D "uid=user,ou=People,o=silex technologies;c=us"  -W 
> > "uid=user,ou=People,o=silex technologies;c=us" userPassword
> >
> > If the user's supplied password is correct, you should get LDAP's 
> > userPassword entry for that person.  This should be the same query 
> > that poppasswd is performing.
> >
> > Seeing that the bottom of the poppasswd page says "poppasswd is run as 
> > root in order to change passwords," I'm not sure it will really play 
> > nicely with LDAP. Very few Googles seem to mention them together:
> >
> > http://www.google.com/search?q=poppasswd+ldap+bind&hl=en&lr=&ie=UTF-8&start=0&sa=N 
> >
> >
> > Mark
> >
> > Tanner Lovelace wrote:
> >
> >> Ah, that makes sense.  Running the passwd command as root when using
> >> local files will work fine, but ldap has it's own access control
> >> system.  You could check into setting up a proxy user, but that's
> >> getting way beyond my knowledge of ldap.  Anyone else have any 
> >> suggestions?
> >>  
> >>
> 
> -- 
> Ben Simpson, MCSE
> Systems Engineer
> Voice and Fax Number: 1-877-718-7627 x401
> 
> Silex Technologies
> http://www.silextech.com
> 
> 
> 
> _______________________________________________
> TriLUG mailing list
>     http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ:
>     http://www.trilug.org/~lovelace/faq/TriLUG-faq.html

More information about the TriLUG mailing list