[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Antwort: Re: Antwort: Re: Changing User Password with ldappasswd



Thomas wrote...:

> Ok, I thought the rootpw directive only applies when using the
> rootdn (-D "cn=Admin, ...)

you were absolutely right with that.

> and by issuing an access control directive with "access to
> userpassword by self write" I could
> everybody make change their user passwords without issuing the ldap
> password.

note: there's nothing like "the LDAP Password". the root-password is the 
password of the root-user and nothing more. your users will have to bind 
with _their own_ password.
and: a user has to _proove_ that he _is_ a specific user, before slapd 
will believe him, that he really is. this is (not always, but quite 
often) done by asking for the user's password. if a user doesn't specify 
a password (but maybe a binddn) when binding to slapd, he will 
automatically be treated as "anonymous" user.. so, no 'access "by 
self"' can be applied..

> So how could I prevent a normal user from using
>  -D "cn=Admin, ..." and destroying my ldap db (for I have to tell
>  him the ldap password as you pointed out)?

no. no. no. the root-account is (poorly) secured by the root-password 
and you shouldn't tell _anybody_ about this password, and better not 
about the rootdn to. it's _not_ a good solution to give everybody root-
access. (you aren't using windows, are you..? ;o)

> Or how can I configure ldap to use each user's old userpassword as
> the ldap password when using "ldappasswd"?

you will not have to configure anything special here. when a user binds 
with "-D <his binddn>" and "-w <his password>" slapd will check whether 
the password specified matches the password stored as "userpassword"-
attribute in that users entry. after that the user can specify a new 
password, and slapd will write that down.. (and "access to 
attr=userpassword by self write" will be applied..)

> P.S. I just got Dejan's answer and it seems that I am using quite
> an old version of openldap (1.2.11). I'll give it a try
> and install the latest version.

good idea. :o)


hth,
daniel