[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Changing password from outside

Hi,

we are trying to find the best way to change users' passwords from
outside Debian Edu.

Debian Edu has three sets of credentials per user:

 * LDAP auth scheme and password hash for simple bind
 * Samba NT?LM hashes
 * Kerberos principal keys

In order to ensure they are kept in sync, Debian Edu enforces using
GOsa to change passwords. GOsa has knowledge of an LDAP manager
account and can call all the utilities needed to update Samba and
Kerberos credentials.

However, in order to better integrate AlekSIS, it would be desirable
to be able to change passwords from outside Debian Edu / GOsa. One
obvious way would be to SSH into Debian Edu and jsut do what GOsa
would do, but that's a somewhat nasty hack.

In other LDAP setups, we just call the LDAP password modify operation,
and rely on LDAP to do the right thing. These are Heimdal Kerberos
setups, where we can leverage the smbk5pwd overlay in LDAP itself to
keep the cerdentials in sync.

There is an equivalent for MIT Kerberos, smbkrb5pwd, but it…

 …is not in Debian
 …looks somewhat unmaintained
 …requires Kerberos and other user data to be in separate LDAP
  objects (which is funny, because smbk5pwd for Heimdal requires
  exactly the opposite)

Maybe someone here has any idea on how this could be done, without
falling back to writing expect scripts that call cli utilities?

Cheers,
Nik

-- 
Dominik George (1. Vorstandsvorsitzender, pädagogischer Leiter)
Teckids e.V. — Digitale Freiheit mit Jugend und Bildung
https://www.teckids.org/
Reply to: