Change user password from bash (ldap)

[b3rkl3y]

Hello,

How can I change an user password (LDAP) from bash?

Thank you

[christian]

Do you mean your own password or password for another account?
Changing LDAP attribute value can be done using LDIF file and ldapmodify. Quite easy but:
- be cautious 
- not very flexible if idea is to change passwords often.

Is use of ldap protocol mandatory here? I mean why not relying on NSS/PAM?

[b3rkl3y]

Hello Christian,

thankyou for your input.

We are using the Zentyal LDAP for our services authentication, including squid.

My objective is to write a small bash script for changing the password of our "guest account" weekly and sending an email with the new password.

I can write the rest of the script without problems, but I need some help to find a safe way of changing the password using a bash script.

thank you.

[christian]

Sorry but does it mean that use of LDAP protocol is mandatory? I don't think so.

Thanks to NSS/PAM implementation, you could use passwd command (assuming ACL authorizes user to write its own entry, which I didn't check yet, but in any case, this should not be a blocking point).

If you still want to use LDAP, one way to achieve it could be to:
- run one step generating this new password and updating your reference LDIF file
- second step is to modify LDAP content using ldapmodify based on this LDIF file

[jsalamero]

Using ldapmodify won't create all hashes for Zentyal, better use Zentyal API, with something like this (incomplete):

Code: [Select]

use EBox;
use EBox::Global;
EBox::init();
my $usersMod = EBox::Global->getInstance()->modInstance('users');
$usersMod->_modifyUserPwd($user, $passwd),

[b3rkl3y]

Greetings,

Sorry for not answering this before, but I've been really busy with other problems.
I tried to use PAM for changing the password with "passwd" and it worked, the only problem is that it asks for the current user password before changing it. Any way of disabling this?


jsalamero, thanks but I'm not really sure of how to use this api. How can I implement this?

thanks in advance.

[christian]

Using ldapmodify won't create all hashes for Zentyal, better use Zentyal API.../...

Good point  This said, could you please explain why so many different hashes are used?
The only reason I currently see would be to "copy" password elsewhere or something similar (like synchro with external authentication).
I mean that if LDAP authentication is used, then only one password is required, everything else being handled by LDAP protocol itself.