Windows 2003 w/IIS 6.0 does come with a very basic ASP application that allows you to change user passwords. You can check out Microsoft's knowledge base and find out more about IISADMPWD there.
here is the /etc/ldap.conf I was using:
#logdir /var/log
#debug 256
host winad.your.domain
#uri ldaps://winad.your.domain
scope sub
timelimit 5
# the following port command works if ssl is set to on
#port 636
# this is the user root will bind to LDAP database.
rootbinddn cn=lnxadm,cn=Users,dc=your,dc=net
# This is the user that is used to look up user's data in
# active directory. This user should have very limited access
# and should only be able to read active directory information.
binddn
bind_user@your.domain
bindpw bind_user_password
# if bind_policy is set to soft it will make nss_ldap
# return a negative result if it cannot connect. If
# bind_policy is set to hard nss_ldap will try to
# connect to ldap server indefinitely.
bind_policy soft
# turn on TLS so clear text username and password
# are not send across the wire.
tls_checkpeer yes
ssl start_tls
# the following are undocumented settings. These
# values are typically set in the DEFINE statements
# in the source code. These were put in an attempt
# to not bring system to a crawl when LDAP server
# is unavailable. These settings do not appear
# to be helpful.
# prevents nss from indefinitely trying to make a connection
nss_reconnect_tries 2
#nss_reconnect_sleeptime
nss_reconnect_maxsleeptime 2
nss_reconnect_maxconntries 2
# set beginning point for where LDAP searches will begin.
nss_base_passwd ou=LNXUSERS,dc=your,dc=domain?sub
nss_base_shadow ou=LNXUSERS,dc=your,dc=domain?sub
nss_base_group ou=LNXUSERS,dc=your,dc=domain?sub?&(objectCategory=group)(gidnumber=*)
# These nss mappings are used when connecting to an Active
# Directory on Windows 2003 R2 (rfc2307). This will not
# work for an Active Directory schema based on Microsoft's
# Services for Unix (SFU) 3.x .
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
#nss_map_attribute gecos name
nss_map_attribute homeDirectory unixHomeDirectory
# These nss mappings are used when connecting to an Active
# Directory with Microsoft's Services for Unix 3.x installed.
# This is not needed for Windows 2003 R2.
#nss_map_objectclass posixAccount User
#nss_map_objectclass posixGroup Group
#nss_map_attribute uid sAMAccountName
#nss_map_attribute uidNumber msSFU30UidNumber
#nss_map_attribute gidNumber msSFU30GidNumber
#nss_map_attribute userPassword msSFU30Password
#nss_map_attribute homeDirectory msSFU30HomeDirectory
#nss_map_attribute loginShell msSFU30LoginShell
#nss_map_attribute gecos name
# pam_ldap setting to make sure that passwords are set correctly when
# using Active Directory
pam_password ad
I also had the file /etc/openldap/ldap.conf where I used the following options:
BASE ou=LNXUSERS,dc=your,dc=domain
HOST windad.your.domain
TLS_REQCERT demand
TLS_CACERT /etc/openldap/cacerts/winadCA.pem
Although this works just fine and no passwords travel across the wire in clear text, I am not satisfied with the solution. Also, as mentioned already, when using pam_ldap I can not force users to change password.
If anyone has an enterprise solution that is working it would be nice to get some input.
Thanks.