smbldap-passwd fun.

[Vlad]

        I'm trying to get users to be able to change their passwords
(LDAP + SAMBA in one go) with smbldap-passwd; this works, but the
command has to read a file that contains the admin password to the
LDAP tree - this is a slight problem.

        SETUIDing it doesn't work, because further file-open calls are
done as the user, so permissions are an issue. sudoing doesn't work,
either, because then the user could change anyone else's password.
        Annoyingly enough, I can't chmod 711 it, as the shell
complains that it can't read it; so much for being able to execute a
file without having to read it.
        Further, I can't just set the users' shell to that command,
because they need to be able to ssh in and run other commands.

        About the only thing I can think of is making a custom shell
that only allows a few commands to be run (nothing that could
open/read/cat a file), or using a web-based frontend - I've heard
phpldapadmin or somesuch mentioned.

        Has anyone ever ran into such a situation/requirement?


        Thanks in advance,

        -- Vlad

-- 
end
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml