[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: password attribute



On Thu, 23 Nov 2000, unplug wrote:
> Hi all,
> 
>   I have a simple question to ask.
>
>   I have an attribute userpassword in the ldap directory.  I want to
> this
> attribute not to search by the others but it is used to do the
> authentication.
> How to set such an attribute??
> 
> Thanks,
> unplug

First put this in your ACL, with appropriate modifications. Do not put any
"access to * by * read" lines above the access to attr=userpassword line in
slapd.conf, or everybody will still be able to read the passwords. Once you've
restricted everything in the directory that you want, then you can put a
"access to * by * read" line at the very bottom of slapd.conf. This just allows
anonymous access to everything that isn't restricted earlier.

access  to  attr=userpassword
  by  self write
  by  group="cn=Directory Admins,ou=admins,dc=abc,dc=com" write
  by  group="cn=IT Admins,ou=admins,dc=abc,dc=com" write
  by  dn="cn=login,dc=abc,dc=com" read
  by  * none  

access to dn="ou=accounts,dc=abc,dc=com"
 by  dn="^uid=[a-z]+,ou=accounts,dc=abc,dc=com$" read
 by  group="cn=Directory Admins,ou=admins,dc=abc,dc=com" write
 by  group="cn=IT Admins,ou=admins,dc=abc,dc=com" write
 by  dn="cn=login,dc=abc,dc=com" read
 by  * none

Second, make an entry for dn="cn=login,dc=abc,dc=com" in your directory. This
md5 password is just a digest form of the word "password".  I'm not sure if
person allows userpassword or not, I keep my schema checking turned off.

dn: cn=login,dc=abc,dc=com
objectclass: person
userpassword: {MD5}X03MO1qnZdYdgyfeuILPmQ==
cn: login
sn: login 

Depending on the authentication modules you are using, you may be able to store
pure {md5} for the password. PAM-LDAP and Qmail-LDAP should support salted
md5. It is unlikely that you will be able to use salted md5 when you reach the
point of using this dn to read authentication information for multiple
directory enabled applications. In some cases, you may have to store his
password plaintext (not recommended). 

Third, put this login dn and password into the configuration files for your
authentication modules. You don't need to reboot a client unix workstation if 
you've modified /etc/ldap.conf. For Qmail-LDAP you should also be OK. Courier's
authdaemond processes need to be restarted if authldaprc is modified.

Fourth, restart slapd with the newly modified slapd.conf file. When it
inevitably does not work, start slapd in debug mode and watch the data fly by
while you attempt to authenticate. This will show you what is going wrong.

Please no personal emails with further questions. I am not a help desk. If you
notice that I have said something incorrect, then feel free to send personal
email.

Regards,
Mike