OpenLDAP authentication

Some observations about using pam_ldap against OpenLDAP.
Determining the pam_password setting involves some trial and error (as shown below). My testing shows that there may not be a utopian setting, because there are tradeoffs that must be considered. For instance, even though exop appears below to be the best choice to allow password changes by local users (not root on their behalf) the exop setting is not support on Debian.

The symptom is that a normal user cannot change their LDAP password using the passwd command, although root can.


Using pam_password crypt(3)
Run passwd testuser as root, set to testtest
!!! LDAP Explorer shows userPassword in plain-text (e.g. testtest)
Run passwd as testuser - auth check works, changed pw to testcrypt3
!!! LDAP Explorer shows userPassword in plain-text (e.g. testcrypt3)

Using pam_password md5
Run passwd testuser as root, set to testtest
!!! LDAP Explorer shows userPassword as {crypt}$1$kKkfirx2$/qGTi5pxfPPk1oDbYGLKe0
Run passwd as testuser
!!! LDAP Password incorrect: try again
Observe: cannot authenticate against md5-crypted password for passwd change but root CAN change testuser's passwd

Using pam_password crypt
Run passwd testuser as root, set to testtest
!!! LDAP Explorer shows userPassword as {crypt}Lho9YpQgQuphs
Run passwd as testuser
!!! LDAP Password incorrect: try again
Observe: cannot authenticate against crypted password for passwd change but root CAN change testuser's passwd

Using pam_password exop
Run passwd testuser as root, set to testtest
!!! LDAP Explorer shows userPassword as {SMD5}C+MSja6sS1gwLp7Jfv5WtmxxuKo=
Run passwd as testuser, set to tonkyhonk
LDAP password information changed for testuser
!!! LDAP Explorer shows userPassword as {SMD5}H9bii6aCq7BHaLutr+VwIZjU+ck=