[Date Prev][Date Next]
Re: Antwort: Re: Antwort: Re: Changing User Password with ldappasswd
> Ok, I thought the rootpw directive only applies when using the
> rootdn (-D "cn=Admin, ...)
you were absolutely right with that.
> and by issuing an access control directive with "access to
> userpassword by self write" I could
> everybody make change their user passwords without issuing the ldap
note: there's nothing like "the LDAP Password". the root-password is the
password of the root-user and nothing more. your users will have to bind
with _their own_ password.
and: a user has to _proove_ that he _is_ a specific user, before slapd
will believe him, that he really is. this is (not always, but quite
often) done by asking for the user's password. if a user doesn't specify
a password (but maybe a binddn) when binding to slapd, he will
automatically be treated as "anonymous" user.. so, no 'access "by
self"' can be applied..
> So how could I prevent a normal user from using
> -D "cn=Admin, ..." and destroying my ldap db (for I have to tell
> him the ldap password as you pointed out)?
no. no. no. the root-account is (poorly) secured by the root-password
and you shouldn't tell _anybody_ about this password, and better not
about the rootdn to. it's _not_ a good solution to give everybody root-
access. (you aren't using windows, are you..? ;o)
> Or how can I configure ldap to use each user's old userpassword as
> the ldap password when using "ldappasswd"?
you will not have to configure anything special here. when a user binds
with "-D <his binddn>" and "-w <his password>" slapd will check whether
the password specified matches the password stored as "userpassword"-
attribute in that users entry. after that the user can specify a new
password, and slapd will write that down.. (and "access to
attr=userpassword by self write" will be applied..)
> P.S. I just got Dejan's answer and it seems that I am using quite
> an old version of openldap (1.2.11). I'll give it a try
> and install the latest version.
good idea. :o)