LDAP-UX Client Services B.05.00 Administrator's Guide
8 User tasks
This chapter describes tasks pertaining to the management of users.
8.1 Modifying passwords
With LDAP-UX Client Services, users change their password with the passwd command.
Depending on how you have PAM configured and depending on where the user's information
is, in the directory or in /etc/passwd, users may get prompted for their password twice as PAM
looks in the configured locations for the user's information.
Since LDAP directory replicas may not be modifiable, the passwd command may not work on
clients configured to use a directory replica. In this case you could use the ldappasswd command
(for more information about the ldappasswd command, see the ldappasswd(8) manpage). You
might wrap an ldappasswd command in a passwd wrapper, similar to the yppasswd command.
The wrapper would ask the user for the old password, call ldapsearch to find the current
user's DN, then call ldappasswd and specify the master LDAP directory server. See Figure 8-3
(page 336) for an example you can modify and use.
For example, referring to Figure 8-1 (page 335), say clients 1-50 use the master directory server
on sys001 and clients 51-100 use the replica directory server on sys002. The passwd command
on clients 1-50 can modify passwords in the master directory on sys001. However, the passwd
command on clients 51-100 will fail because the replica server on sys002 cannot be modified.
Figure 8-1 Cannot change passwords on replica servers
Updates
Master LDAP
Directory Server
Replica LDAP
Directory Server
passwd(1) cannot
modify replica
LDAP server
passwd(1) can
modify master
LDAP server
LDAP-UX
Clients 1-50
LDAP-UX
Clients 51-100
One way to allow clients 51-100 to change their passwords is to create a new passwd command
wrapper on these clients that calls ldappasswd, which modifies the master directory, as shown
in Figure 8-2 (page 335). When the replica server is updated depends on how you have configured
the replication. All other LDAP requests continue to go to the replica server through PAM and
NSS. See below. For a sample passwd wrapper command, see Figure 8-3 (page 336) .
Figure 8-2 Changing passwords on master server with ldappasswd
Updates
Master LDAP
Directory Server
Replica LDAP
Directory Server
passwd(1) can
modify master
LDAP server
ldappasswd(1) can
modify the master
LDAP server
LDAP-UX
Clients 1-50
LDAP-UX
Clients 51-100
See Section 7.4.2 (page 294) for details of this command.
8.1 Modifying passwords 335