[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pamldap
Subject:    Re: [pamldap] password changing with eDirectory 8.7
From:       ressu () ressukka ! net (Sami Haahtinen)
Date:       2003-05-14 5:58:27
[Download RAW message or body]

On Tue, May 13, 2003 at 12:38:19PM -0400, John Dalbec wrote:
> Can I use a rootbinddn to change passwords?  Or should I omit the 
> rootbinddn and have pam_ldap bind as the user?  Will pam_ldap bind as 
> the user if I also have a binddn?  What about administrative password 
> changes?  Do I have to use iManager/ConsoleOne for those?

This all depends on the security level you are planning on getting to.

If you want to change the passwords of normal users with the root
account, you need to set the rootbinddn and ldap.secret file. This will
allow you to change the users password without actually knowing it
before the change. This is something you most likely want to do, but the
method varies.

On the other hand, if the system is a public system, there is always a
chance of a break in, and in such a case, you can consider you database
compromised too.

This is all just a big game, you need to find the right combination to
win. in my case, we have a machine with no public access, and as few
services as possible with rootbinddn set up and the rest of the machines
without it. we also have custom built scripts for the non-enlightened
helpdesk people who deal with broken passwords and new accounts all the
time.

Regards, Sami Haahtinen

-- 
			  -< Sami Haahtinen >-
      -[ Notify immediately if you do not receive this message ]-
	-< 2209 3C53 D0FB 041C F7B1  F908 A9B6 F730 B83D 761C >-
[prev in list] [next in list] [prev in thread] [next in thread]