Don’t know if it is me or there really is a something big missing from the whole Mac OS X Server-all-users-in-od-with-kerberos-password-policy setup. I think I’ve gone through the whole 10.4 server and most of 10.5 server documentation and I can’t find a way to let users with machines that are not bound to OD server to change their passwords remotely. Surely they can do it by either going to the Admin’s room and sitting down on his console (WGM) or ssh to the server and issue the passwd command, but I think both will be asking too much from poor ol’ Joe User. I googled a bit and found a tool developed through WebObjects(?!) that probably did its job back in 2004 when the tool was last updated.
An idea came to me, what if we setup a https website on the server, enable webmail let Joe User login into his account and through a squrrelmail plugin allow him also to change his password? Shouldn’t be too hard, should it? And if the web traffic between the user and our server is encrypted by SSL shouldn’t be insecure either. A quick trip to the squrrelmail plugin repository at http://www.squirrelmail.org/plugins_category.php?category_id=5 revealed half a dozen candidates for the job. I looked at Change LDAP Password, but I remembered MOSX Server doesn’t keep the OD user passwords in the LDAP directory itself, so this one probably won’t help. Next one should be Change_passwd, as passwd is the tool recommended by Apple for changing user’s passwords. Now while I’m setting up a demo server machine I decided to post here so that somebody can point out if my way of thinking is even remotely correct.
Anybody?