From: Benjamin Reed Date: 22:21 on 24 Oct 2007 Subject: LDAP + PAM + TLS + OMGWTF Why, in the year 2007, is it still not possible to just friggin' type "passwd" and have it update your LDAP server? Or maybe it is possible, and I just can't find it. There's so many false hits on anything LDAP-related it's not even funny.
From: Peter da Silva Date: 22:57 on 24 Oct 2007 Subject: Re: LDAP + PAM + TLS + OMGWTF On 24-Oct-2007, at 16:21, Benjamin Reed wrote: > Why, in the year 2007, is it still not possible to just friggin' type > "passwd" and have it update your LDAP server? An entirely reasonable question. The answer I was given on one occasion I brought it up was that LDAP was designed for read-only access and read-write is cobbled on the side, often implemented in a completely insane manner, and writing is often either all-or-none, insecure, or both.
From: Phil Pennock
Date: 00:22 on 25 Oct 2007
Subject: Re: LDAP + PAM + TLS + OMGWTF
On 2007-10-24 at 16:57 -0500, Peter da Silva wrote:
> An entirely reasonable question. The answer I was given on one occasion I
> brought it up was that LDAP was designed for read-only access and
> read-write is cobbled on the side, often implemented in a completely insane
> manner, and writing is often either all-or-none, insecure, or both.
And yet password changing in LDAP is precisely standards-specified.
3062 LDAP Password Modify Extended Operation. K. Zeilenga. February
2001. (Format: TXT=11807 bytes) (Status: PROPOSED STANDARD)
A wrapper script to avoid the whole PAM mess and just provide passwd(1)
compatibility by also calling ldappasswd from OpenLDAP? Crude but
effective? Or do users need to be able to change passwords from GUI
tools and automatically at login with (*spit*) expiration policies?
-Phil
From: Peter da Silva Date: 01:07 on 25 Oct 2007 Subject: Re: LDAP + PAM + TLS + OMGWTF On 24-Oct-2007, at 18:22, Phil Pennock wrote: > 3062 LDAP Password Modify Extended Operation. K. Zeilenga. February > 2001. (Format: TXT=11807 bytes) (Status: PROPOSED STANDARD) Does anything implement it, other than slapd and php? Oh, Sun Buzzword Enterprise Java Thingy 6.0 implemented it this year!
From: Phil Pennock Date: 05:28 on 25 Oct 2007 Subject: Re: LDAP + PAM + TLS + OMGWTF On 2007-10-24 at 19:07 -0500, Peter da Silva wrote: > On 24-Oct-2007, at 18:22, Phil Pennock wrote: >> 3062 LDAP Password Modify Extended Operation. K. Zeilenga. February >> 2001. (Format: TXT=11807 bytes) (Status: PROPOSED STANDARD) > > Does anything implement it, other than slapd and php? Server-side? Not a clue. Unless some wacko has decided to implement an LDAP server in PHP, I'm guessing that you're including client-side in the question, so ... ldappasswd(1) from OpenLDAP. Shocker, that. So you theoretically can script an update from a passwd shell script wrapper. Beyond that, pass. Around the time I was looking at passwords in LDAP, I had some spare time on my hands and over-engineered slightly and converted my systems to Kerberos ... -Phil
From: Yossi Kreinin Date: 11:56 on 27 Oct 2007 Subject: Re: LDAP + PAM + TLS + OMGWTF Phil Pennock wrote: > On 2007-10-24 at 16:57 -0500, Peter da Silva wrote: > > A wrapper script to avoid the whole PAM mess and just provide passwd(1) > compatibility by also calling ldappasswd from OpenLDAP? Crude but > effective? Or do users need to be able to change passwords from GUI > tools and automatically at login with (*spit*) expiration policies? > *Hey!* Careful with those expiration policies! Expiration policies are wonderful things, enhancing security and encouraging exploration. Without them, how would I ever find out that fuck,You is a legitimate password on a system that thinks it only permits passwords of 12 or more characters, *and* has an (apparently overly sanitized) dictionary for validating password security? Not to mention all the ubersecure passwords produced by walking on the keyboard with one's fingertips.
Generated at 10:26 on 16 Apr 2008 by mariachi