[Date Prev][Date Next] [Chronological] [Thread] [Top]

Access control - passwords and accounts

To: openldap-general@OpenLDAP.org
Subject: Access control - passwords and accounts
From: "Kevin Myer" <kevin_myer@elanco.k12.pa.us>
Date: Fri, 12 Nov 1999 09:45:43 -0500 (EST)

Hi,

I have a few questions regarding access control and how to provide enough
access, without providing too much.

First, I'd like to lock down the userPassword attribute as much as
possible, so someone can't snoop around and harvest passwords.  However, I
think I have a problem, in that pam_ldap and nss_ldap bind anonymously,
when looking up user account information.  So if I enforce:

access to attribute=userPassword
by dn="cn=manager,dc=elanco,dc=k12,dc=pa,dc=us" write
by self write
by * none

The user and the admin can change the password but thats it.  I guess I
could modify the config file for pam_ldap and nss_ldap to bind as
manager.  So am I thinking along the right lines for this?  Also, does
granting write access to an attribute implicitly grant read access to it
as well?

Secondly, is there any way to lock down on which machines a user account
is active?  By this I mean in my current setup, I haven't come up with a
way to limit logins to a machine - users either have no access or have
full access to every machine using LDAP for authentication (of course
depending on whether they have a valid shell or now).  

The only two ways I have thought of doing this are 1) hacking the PAM code
to look for an additional attribute, like "hasAccountOn" servername or
2) creating an ACL for each and every user account, that limits which
machines can do lookups on that user.  The latter would work, I think but
I'm not really interested in creating 360 access lists and maintaining
them.  The former is a bit more formidable task than I care to undertake
at this time.

Finally, I need to come up with something simple to allow users to change
their passwords, via a web interface.  What would be the recommendations
there - PHP, cgi script or ???  Better yet, does anyone have a cgi-script
or some PHP code that will do just that to save me from reinventing the
wheel?  Or is there a better way to do this that I haven't thought of?

Thanks for any help!

Kevin


-- 
     ~        Kevin M. Myer
    . .       Network/System Administrator
    /V\       ELANCO School District
   // \\
  /(   )\
   ^`~'^

Follow-Ups:
- Re: Access control - passwords and accounts
  - From: Michael Ströder <michael.stroeder@inka.de>
- Re: Access control - passwords and accounts
  - From: David J N Begley <david@avarice.nepean.uws.edu.au>

Prev by Date: Re: Newbie question, already read the FAQ's and checked the archives...
Next by Date: Re: Access control - passwords and accounts
Index(es):
- Chronological
- Thread