PAM and Changing Passwords (System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP))

System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)

PAM and Changing Passwords

Use passwd(1) to change a password. In order to change the password, the userPassword attribute must be writable by the user. Remember that the serviceAuthenticationMethod for passwd-cmd overrides the authenticationMethod for this operation. Depending on the authentication used, the current password might be unencrypted on the wire.

In the case of pam_unix(5), the new userPassword attribute is encrypted using UNIX crypt format and tagged before being written to LDAP. Therefore, the new password is encrypted on the wire, regardless of the authentication method used to bind to the server.

For pam_ldap, when a password is changed, the new password is unencrypted. Therefore, to insure privacy, use TLS. If TLS is not used, the new userPassword will be subject to snooping.

When setting the password with pam_ldap(5) with Sun ONE Directory Server, the password is encrypted using the passwordStorageScheme (as it is untagged). For more information about the passwordStorageScheme attribute, see “User Account Management” in the Administration Guide for the version of Sun ONE Directory Server that you are using.

Note –

You need to consider the following when setting the passwordStorageScheme attribute. If a NIS, NIS+, or another client using pam_unix is using LDAP as a repository, then passwordStorageScheme needs to be crypt. Also, if using pam_ldap with sasl/digest-MD5 with Sun ONE Directory Server, passwordStorageScheme must be set to clear. See the following section for more information.