[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: How To set things up to allow users to change their passwords

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: RE: How To set things up to allow users to change their passwords
From: "Mackey, Theral" <tmackey@zetta.net>
Date: Tue, 8 Dec 2009 00:56:05 +0000
Accept-language: en-US
Acceptlanguage: en-US
Content-language: en-US
In-reply-to: <200912071252.52990.bgmilne@staff.telkomsa.net>
References: <200912041655.nB4Gt5eD021822@sharky.deepsoft.com> <680cbe0e0912051713k282e4303v621db6d8ce997932@mail.gmail.com> <200912061449.nB6EnwpU025850@sharky.deepsoft.com> <200912071252.52990.bgmilne@staff.telkomsa.net>
Thread-index: Acp3S7AcoJkqb6gQStm1VBPcv0Fs2QAUvpjw
Thread-topic: How To set things up to allow users to change their passwords

> Sent: Monday, December 07, 2009 3:53 AM
> To: openldap-technical@openldap.org
> Cc: Serge Fonville; Robert Heller
> Subject: Re: How To set things up to allow users to change their
> passwords
> 
> On Sunday, 6 December 2009 15:49:58 Robert Heller wrote:
> > At Sun, 6 Dec 2009 02:13:28 +0100 Serge Fonville <serge.fonville@gmail.com> wrote:
> > > On Fri, Dec 4, 2009 at 5:55 PM, Robert Heller <heller@deepsoft.com> wrote:
> > > > I have Openldap set up on a CentOS 5 system (using the stock 2.3.43
> > > > RPMS) and I want to allow users to change their passwords, but I am
> > > > confused by the documentation (it has both too much and not enough
> > > > information -- there don't appear to be simple HowTos for common
> > > > setups).
> > >
> 
> Your PAM configuration should have been updated (if you used authconfig
> or
> similar) to change passwords via LDAP, so 'passwd' as an LDAP user
> should
> work.
> 

More specifically, and to hopefully end this thread, look in libnss-ldap.conf and/or pam_ldap.conf at the pam_password attribute (and setup pam for ldap, plenty of well written docs on that online).
Set it to exop for slapd to take the plaintext from the passwd command and encrypt with whatever your slapd.conf says to use for userpassword (default ssha, set via password-hash) and update the ldap tree (and follow any policy guidelines if you use ppolicy overlay). If you instead did go the route of a cgi/php page, you can comment out pam-passwd and set pam_password_prohibit_message to its url to send users there.

the Admin entry is probably just an example for some "admin" user created for an app/other user to change passwords for users. slapd doesn’t auto create entries unless an overlay or config item tells it to, even the cn=manager,<BASE-DN> entry is "created" from your slapd.conf file (rootdn/rootpw)

-T

References:
- How To set things up to allow users to change their passwords
  - From: Robert Heller <heller@deepsoft.com>
- Re: How To set things up to allow users to change their passwords
  - From: Serge Fonville <serge.fonville@gmail.com>
- Re: How To set things up to allow users to change their passwords
  - From: Robert Heller <heller@deepsoft.com>
- Re: How To set things up to allow users to change their passwords
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

Prev by Date: Re: 100% CPU loading
Next by Date: Re: restrict host login based on group
Index(es):
- Chronological
- Thread