LDAP-UX Client Services B.05.01 Administrator Guide for HP directory servers and Windows ADS

ManualsBrandsHP ManualsSoftwareHP-UX LDAP-UX Integration Software

391

392

393

394

395

396

397

398

399

400

10 User tasks

This chapter describes user management tasks.

10.1 Modifying passwords

With LDAP-UX Client Services, users change their password with the passwd command. Depending

on the PAM configuration and the location of the user's information (in the directory or in /etc/

passwd), users might be prompted for their password twice as PAM looks in the configured

locations for the user's information. Administrators can also modify user passwords using the -PP

or -PW options of the ldapugmod command, as described in Section 9.3.6 (page 313). SSL may

be required when connecting to the HP-UX Directory Server and will be required when connecting

to Windows ADS.

HP directory servers only

Since HP directory server replicas might not be modifiable, the passwd command might not work

on clients configured to use a directory replica. In this case you could use the ldappasswd

command (for more information about the ldappasswd command, see the ldappasswd(8) manpage

or the ldapugmod command described in Section 9.3.6 (page 313)). You might wrap an

ldappasswd command in a passwd wrapper, similar to the yppasswd command. The wrapper

would ask the user for the old password, call ldapsearch to find the current user's DN, then call

ldappasswd and specify the master LDAP directory server. See Figure 20 (page 392) for an

example you can modify and use.

For example, referring to Figure 18 (page 391), say clients 1-50 use the master directory server on

sys001 and clients 51-100 use the replica directory server on sys002. The passwd command on

clients 1-50 can modify passwords in the master directory on sys001. However, the passwd

command on clients 51-100 will fail because the replica server on sys002 cannot be modified.

Figure 18 Cannot change passwords on replica servers

Updates

Master LDAP

Directory Server

Replica LDAP

Directory Server

passwd(1) cannot

modify replica

LDAP server

passwd(1) can

modify master

LDAP server

LDAP-UX

Clients 1-50

LDAP-UX

Clients 51-100

One way to allow clients 51-100 to change their passwords is to create a new passwd command

wrapper on these clients that calls ldappasswd, which modifies the master directory, as shown

in Figure 19 (page 392). When the replica server is updated depends on how you have configured

the replication. All other LDAP requests continue to go to the replica server through PAM and NSS.

For a sample passwd wrapper command, see Figure 20 (page 392) .

10.1 Modifying passwords 391