LDAP Authentication
Toby Burress
kurin at delete.org
Thu Nov 20 19:06:54 UTC 2008
On Thu, Nov 20, 2008 at 04:52:17PM +0100, Dieter Kluenter wrote:
> Hi,
> I just stumpled upon
> http://www.freebsd.org/doc/en/articles/ldap-auth/client.html
>
> In examples 7 you are presenting a ruby script to modify a
> userpassword. In this script you use some sort of ldapmodify to change
> the password value. This is a NO NO. Never modify a password this
> way and please do not propagate this.
> The proper way is to call the extended operation passwordModify
> (RFC-3062). The shell script of example 6 calls ldappasswd(1), which
> calls this extended operation.
Unfortunately it doesn't look like ruby-ldap supports RFC-3062.
This specific example, iirc, was adapted from a script I wrote to
modify passwords in an Active Directory server, which requires a
specific (crazy) kind of ldapmodify.
However, from the RFC it looks like this extension is specifically
to allow the directory to manage the password backend even when
such backend isn't the directory itself (which my article doesn't
cover). While I'll add a section about this and the passwordModify
operation, I think it is not terrible to use ldapModify to change
passwords, as long as (a) the users are in fact kept in the directory,
and (b) the admin is aware that he'll have to change his scripts
if that changes in the future.
More information about the freebsd-doc
mailing list