I understand Open Directory to be OpenLDAP + SASL (Password Server) + Kerberos. It appears that OpenLDAP defers to SASL for authentication; I don't know about Kerberos.
I want to change user passwords from a script, preferably remotely, and I want the password to be changed properly. (ie. in no event do I want a user to have a different password depending upon which of the three services that go into Open Directory they authenticate against.)
I can do a dsimport
over the network just fine from a machine that is not bound to the directory, but, when you try to import a password (depite setting the AuthType to dsAuthMethodStandard:dsAuthClearText), it will work only if the password has not been set before. (I believe it is possible to set a Crypt password, but I fear that means that only the LDAP portion of OD will know the current password.)
Is there anything I can do short of initiating an ssh session to the server and changing the passwords there? If I do that, is there any command that will let me specify a number of users and their new passwords on one line?
Which commands work to change all open directory passwords, and is there any one to prefer?
apropos password
gives me these interesting results:
- kpasswd(1) - change a user's Kerberos password
- ldappasswd(1) - change the password of an LDAP entry
- lppasswd(1) - add, change, or delete digest passwords
- passwd(1) - modify a user's password
- pwpolicy(8) - gets and sets password policies
- saslpasswd2(8) - set a user's sasl password
- slappasswd(8) - OpenLDAP password utility
I'll look at some of the man pages, and I'm under the impression that pwpolicy
is the best choice, but I'd love to know if there are any subtleties to using these (such as, don't change the Kerberos password without also changing the LDAP and SASL passwords), and if any of them work remotely without an ssh session.