[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAP Auth and users changing their passwords



Title: RE: LDAP Auth and users changing their passwords

You are partly correct.  The credentials that you setup in the /etc/ldap.conf serve as the user and passwd to bind to the dlap server as.  Having said that, the user doesn't really change his passwd, the user that pam binds (setup in /etc/ldap.conf) does.  This structure allows for having thousands of entries and only a few update permissions to setup.  If you are having issues with users not being able to update their passwds, verify that the binding user has write privs to the directory.

Usually this is a user aside from the admin.

you also may wich to take a look at the nice little tool called ldappasswd.  I believe you can use this to change directory passwds.  However I am uncertain if this is the way to go.


Go Linux!

Terry Inzauro



-----Original Message-----
From: Terrence Martin [mailto:tmartin@physics.ucsd.edu]
Sent: Tuesday, August 26, 2003 5:26 PM
To: Terry.Inzauro@infoUSA.com; openldap-software@OpenLDAP.org
Subject: Re: LDAP Auth and users changing their passwords


Ok I will try this.

This brings me to a further question. How does pam ldap authenticate the
user to the ldap directory so that they can change their userPassword
attribute? I am assuming that the user has to bind to the ldap directory
via simple authentication and then is allowed to change only its
password field?

Sorry if I am fishing a bit here, I am still trying to wrap my head
around how the authentication is actually happening and how the process
of updating entries in the directory should be accomplished. Preferably
I would like to have each user authenticated to the directory in such a
way to allow them to access only their entry for userPassword and be the
only ones, besides the rootdn to be able to write to it.

Just in case here is an example entry in my directory for a user.

dn: uid=tmartin,ou=People,dc=physics,dc=ucsd,dc=edu
uid: tmartin
cn: tmartin
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}hashhashhashhash
shadowLastChange: 12270
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 5000
gidNumber: 5000
homeDirectory: /home/tmartin

I am authenticating fine to both my linux clients and my cyrus imap
server. Now I am looking to nail down the who usermanagement issue. Part
of that is allowing users to change their own passwords. I am just not
sure what is the best/most common approach.

Terrence


Terry.Inzauro@infoUSA.com wrote:

> I believe the ldap pam module is responsible for this
>
>
>
> Terry Inzauro
>
>
>
> -----Original Message-----
> From: Terrence Martin [mailto:tmartin@physics.ucsd.edu]
> Sent: Tuesday, August 26, 2003 4:49 PM
> Cc: openldap-software@OpenLDAP.org
> Subject: LDAP Auth and users changing their passwords
>
>
> I was wondering what people are using to allow users to change their
> passwords in the ldap directory when using ldap for authentication.
>
> My situation is that I want users to be able to change their Unix
> account passwords through a mechanism similar to the passwd(1) command
> but have those changes be reflected in the ldap database.
>
> Web or command line interface is fine.
>
> Terrence
>