Dear Klaus, this is indeed a very nice thing to have! On 2005 September 6 Tuesday 17:55, Klaus Ade Johnstad wrote: > This year was my 4th year handing out password to our yearly 180 new > pupils at my school. This year, unlike the other years, I did somethin > "clever"; making a mandatory change of password via kdm at first login. > > When they logged on with the username and password created by wlus, they > were immediately prompted by kdm to change their passwords before kde > started. > > This is how I did this: > > At about line 109 i /etc/ldap/slapd.conf I added these lines: > access to attrs=shadowLastChange > by self ssf=128 =wx > by dn.exact="cn=admin,ou=People,dc=skole,dc=skolelinux,dc=no" > ssf=128 =wx > by * read > > At about line 1126 in /usr/share/webmin/ldap-users/ldap-users.pl I > added these lines: > shadowMin =>0, > shadowMax =>99999, > shadowWarning =>7, > shadowLastChange=>0, > > > This prompts everyone to change their password, whether they login via > kdm or ssh. I hope not every time. Once, right? > The only drawback to this approach is that it only changes the > userPassword (Linux password), not sambaLMPassword or sambaNTPassword, > but I don't have any windows-machines anyway. May be a wrapper to passwd command? > Later once they get to know Skolelinux, I introduce them to > https://tjener.intern:10000 via a webbrowser, it's nice not having to > walk them through changing their passwords in wlus as the first thing > they do on Skolelinux, that tends to "scare" people. > > > Feedback and improvements are very welcome, especially if these changes > that I made to slapd.conf and ldap-users.pl are sane, and if it is > possible to also get the sambaLMPassword and sambaNTPassword changed > this way (I suspect kdepasswd needs to be disciplined to do this). > > > Klaus We (in the Faculty of Sociology) had the same problem with the old novel server. The paswords where printed and handed out to the students. Then we migrate to Linux. As we have windows clients we solved the problem different. A webpage was created and accessible via https://server.de/application. The applicants filled out a form (with address, ... and password) which was feed into the user administration. When they confirmd there application (signing a contract), the password of the user was set into LDAP (userPassword and Samba) with a klick on a button. The advantage: - fillout the form wherever you are on this planet - admins do not have to know the password - the admin do not have to type the other user data (adress, mail, ...) the users do. - the account is activated, if the student proove there status - samba and user password are changed Yours Christian
Attachment:
pgp0579kr07Io.pgp
Description: PGP signature