PSARC/2008/745 nss_ldap shadowAccount support
Darren J Moffat
Darren.Moffat at Sun.COM
Wed Dec 3 01:44:24 PST 2008
I've read and understood this proposal and I'm happy it meets the
required functionality.
It isn't exactly mirroring how NIS+ does password change; it uses a
daemon on the NIS+ root master that is contacted over the network using
the end users creds. However I think this is sufficient and the risk of
having an LDAP "admin" cred stored on each host is acceptable.
Particularly given that for those deployments where that is not
acceptable the site can choose to use pam_ldap instead.
I'd suggest one tiny naming change. Instead of the using
adminDN/adminPassword I'd recommend a name much more specific so that
it encourages sites to create an LDAP principal specifically for this
use rather than using the directory manager (or other all powerful
account), say something like: shadowUpdateDN/shadowUpdatePassword.
--
Darren J Moffat
More information about the opensolaris-arc
mailing list