For a client I started to put in place a connection from ssh to OpenDJ, which I chose for previous reasons.
To setup ssh with PAM and LDAP you can follow several tutorials, the one I found more easy to follow is: https://www.digitalocean.com/community/articles/how-to-authenticate-client-computers-using-ldap-on-an-ubuntu-12-04-vps
Depending on your security policy, you could need to allow ssh users to change their passwords with the passwd command, to do so the file /etc/pam.d/sshd has the following include:
# Standard Un*x password updating. @include common-password
so a common configuration for the file common-password would be:
password [success=2 default=ignore] pam_unix.so obscure sha512 password [success=1 user_unknown=ignore default=die] pam_ldap.so try_first_pass password requisite pam_deny.so password required pam_permit.so
As we can see when we change a password we check first the user in the system (pam_unix.so). If the change succeed we skip the next 2 lines (success=2) and we allow the change (pam_permit.so). If doesn’t succeed we check on ldap (pam_ldap.so) and if the operation succeed we skip the next line (success=1) and we allow password change (pam_permit.so). If also the password change on ldap fails then we deny the password change (pam_deny.so).
Further, as we can see on PAM code, the pam-ldap package tries to update the attribute shadowLastChange, which
- on unix system would correspond to the 3rd value in the /etc/shadow file which is the number of days, (since January 1, 1970) since the password was last changed
- on LDAP system, it is defined in the RFC 2307 as an attribute of the object shadowAccount, together with other values for password expiration, see brief description, similar to the /etc/shadow.
Therefore to allow PAM changing a password on OpenDJ we need to:
- add the attribute shadowLastChange to the user, you can use PhpLdapAdmin to add the shadowAccount object class to your Posix users first.
- add an ACI in OpenDJ to allow changing shadowLastChange to the binded user
Concerning the ACI for the password change, you could write in a ssh-shadow.ldif file something like:
dn: ou=People,dc=my,dc=domain,dc=com changetype: modify add: aci aci: (targetattr = "shadowLastChange") (target = "ldap:///ou=People,dc=my,dc=domain,dc=com") (version 3.0; acl "change shadow"; allow (write) (userdn = "ldap:///self");)
where you allow the binded users (ldap:///self) to modify (write) the attribute shadowLastChange, which is similar to example reported on the OpendJ documentation to change own password.
Apply then the changes with the command:
./opendj/bin/ldapmodify -h myhost -p 1389 -D "cn=Directory Manager" -W -c -f ssh-shadow.ldif
Once the password is changed with passwd command, you can verify that the value is changed in OpenDJ with PhpLdapAdmin and also check online the correspondent date.
To delete the ACI just replace “add: aci” with “delete: aci” in the file and re-execute ldapmodify command.