Re: Slapd-config, jrpasswd and admins
Bjorn Ove Grotan wrote:
> Finn-Arne Johansen:
>
>>I've checked in a new slapd-sarge-debian-edu.conf. Those of you who
>>knows anything about slapd configuration, please have a look.
>>I've tested this one, and it will allow jradmins to change _every_
>>password except the ldap-admin password.
>>
>>There is also the new utility called jrpasswd by Bjoern Ove (gagatan),
>>located at the same location, that should do the job.
>>The later should provide better security, since it's python, and the
>>former is bash code, which could make it possible to sniff the password
>>while used (although I have not been able to sniff the password)
>>
>>I'm not sure about how jrpasswd will update the samba password, but I
>>know that passwd tries to use sudo , so you will have to do some work
>>there.
>
>
> I'm not quite shure what passwd and sudo has to do with samba-passwords here.
> jrpasswd changes the lanman- and nt-hashes if configured to do so.
To set samba password for another user using smbpasswd, you have to be
root.
So the script /usr/share/debian-edu-config/tools/passwd tries to use
sudo to run smbpasswd if you are to change the password for another user.
> I'll be in Oslo on Tuesday (21.2.) and have some time between meetings at UiO
> campus and when my flight back to Trondheim in the evening. Anyone want to meet up to
> discuss this, user administration in skolelinux or just the general
> conspiracy thingy - don't hesitate to contact me by email or irc (Gagatan).
Well, I want to have that discussion _after_ we've released a
sarge-based debian-edu, but I want to allow have a working tool like
jrpasswd or some other tool that allow someone other than ldap admin to
change password.
did you have a chance of looking at the config I checked in ?
--
Finn-Arne Johansen
faj@bzz.no http://bzz.no/
Debian-edu developer and Solution provider
EE2A71C6403A3D191FCDC043006F1215062E6642 062E6642
Reply to: