[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Stuff and changing passwords

At 12:07 PM 9/27/00 +0000, Joseph Hoot wrote:
>I have a few questions:
>1) This question is for Kurt - I went to freshmeat looking for an LDAP client
>and found one and it had something to do with Pendium (or something like
>that).  Do you know what this Pendium thing was called.  It had something to
>do with postfix and I'm interested in replacing our Sendmail server with
>Postfix and integrating LDAP and virtual domains and stuff.  If you happen to
>know what I'm talking about would you please respond?  Thanks.

I haven't a clue about what your talking about...  try the
Postfix web site for information about how to integrate Postfix
with LDAP directory services.

>2) What is the best way to change a users password?  ldappasswd or ldapmodify?

In OpenLDAP 1.2, it doesn't matter too much... both are based upon
the modify operation.  ldappasswd(1) just includes the code to do
RFC 2307 generation.  For 1.2, I actually prefer using ldapmodify
and generating the password hash myself.

In OpenLDAP 2.0, ldappasswd uses the Password Modify extended
operation which supports server side generation.  The current
implementation abuses userPassword (the specs says userPassword
should contain the user's actual password in clear text), but
can be adapted (eventually) to store the value in other attributes
(e.g. authPassword) and/or in external authentication services
(OS, SASLdb, Kerberos, etc).

If you intend to store only clear text passwords in userPassword
then using ldapmodify(1) is fine.  However, if you intend to store
hashed passwords or use external password storage, ldappasswd(1)
is better.

>3) If I try to use ldappasswd with user "jhoot" , for example, the ldap server
>denies this user from changing his password.

You must ensure that the authenticated user is authorized to
make the change.

>[jhoot@elmer jhoot]$ ldappasswd -t uid=jhoot,ou=people,dc=nowcom,dc=com -H md5

That looks like 1.2 version...

>If I use ldappasswd in the same manner and add "-D cn=manager,dc=nowcom,dc=com
>-W" then I can enter the rootdn password and it works.

Yes, the rootdn is authorized to make the change.  Authorize
as the user (using -D).  And you get denied, check slapd
logs (with ACL logging enabled).