ruby-net-ldap
ruby-net-ldap copied to clipboard
ruby-ldap
Change password via EXOP
I was wondering if ruby-net-ldap implements LDAP EXOP to change a user's password. Having this feature will help when using ppolicy with OpenLDAP to update password-related attributes.
To fill in with some additional context, I did some quick googling and found RFC 3062: LDAP Password Modify Extended Operation.
The integration [RFC2829] of application neutral SASL [RFC2222]
services which support simple username/password mechanisms (such as
DIGEST-MD5) has introduced non-LDAP DN authentication identity forms
and made storage of passwords the responsibility of the SASL service
provider.
LDAP update operations are designed to act upon attributes of an
entry within the directory. LDAP update operations cannot be used to
modify a user's password when the user is not represented by a DN,
does not have a entry, or when that password used by the server is
not stored as an attribute of an entry. An alternative mechanism is
needed.
This document describes an LDAP Extended Operation intended to allow
directory clients to update user passwords. The user may or may not
be associated with a directory entry. The user may or may not be
represented as an LDAP DN. The user's password may or may not be
stored in the directory.
I haven't looked at the existing code for password modify requests, but I think this would be a good addition to this library pending some research. Would you be interested in digging in and proposing a pull request?
Any support for sending LDAP Extended Operations would be welcome. I'm not sure if that deserves to be a separate issue or not. It's a fairly simple payload. It's essentially a request with an OID and optional value.
- https://tools.ietf.org/html/rfc4511#section-4.12
CLI tools such as ldapexop provide comparable functionality that you could compare with.
