[Date Prev][Date Next]
Re: LDAP Auth and users changing their passwords
You are partly correct. The credentials that you setup in the
/etc/ldap.conf serve as the user and passwd to bind to the dlap server
as. Having said that, the user doesn't really change his passwd, the
user that pam binds (setup in /etc/ldap.conf) does. This structure
allows for having thousands of entries and only a few update
permissions to setup. If you are having issues with users not being
able to update their passwds, verify that theOk but is this at all secure? To me this is looking a lot like putting a
root password in a file and crossing my fingers no one will read it.
binding user has write privs to the directory.
Usually this is a user aside from the admin.
Don't credentials placed in the /etc/ldap.conf file that are used to
bind to the directory essentially open up the directory for arbitrary
writing/reading by anyone with root on the client? While this might be
suitable on tightly controlled client I would like to have lab machines
and even systems that have shared root access to use the ldap server for
authentication. There has to be another way that does not place so much
trust in clients.
The Oreilly ldap book has an example of an ACL that will allow users to
change the userPassword attribute only if they authenticate.
access to *
by * read
access to attrs=userPassword
by self write
by * auth
Unfortunately the book is kinda vague on how exactly the user is getting
authenticated to the directory and how the bind is occuring. I am
assuming that the user themselves are binding to the ldap directory and
not via a super users or administrator dn.
So my next question is how (if it is even possible) do you modify
/etc/ldap.conf so that when a user authenticates to a system via pam
that system binds to the ldap directory using that users dn and password
rather than an administrative level dn? Preferably I would like users to
only be able to read and write the userPassword entry. Otherwise I have
the same problem that NIS suffers from where anyone with ypcat can get
access to the hashes.
It seems like something that should be possible...
As an aside I have authentication working currently with anonymous binds
as that is the default just to make sure everything is working. I am
also using TLS so turning up security as high as I can is my next step.
you also may wich to take a look at the nice little tool called
ldappasswd. I believe you can use this to change directory passwds.
However I am uncertain if this is the way to go.
From: Terrence Martin [mailto:email@example.com]
Sent: Tuesday, August 26, 2003 5:26 PM
To: Terry.Inzauro@infoUSA.com; openldap-software@OpenLDAP.org
Subject: Re: LDAP Auth and users changing their passwords
Ok I will try this.
This brings me to a further question. How does pam ldap authenticate the
user to the ldap directory so that they can change their userPassword
attribute? I am assuming that the user has to bind to the ldap directory
via simple authentication and then is allowed to change only its
Sorry if I am fishing a bit here, I am still trying to wrap my head
around how the authentication is actually happening and how the process
of updating entries in the directory should be accomplished. Preferably
I would like to have each user authenticated to the directory in such a
way to allow them to access only their entry for userPassword and be the
only ones, besides the rootdn to be able to write to it.
Just in case here is an example entry in my directory for a user.
I am authenticating fine to both my linux clients and my cyrus imap
server. Now I am looking to nail down the who usermanagement issue. Part
of that is allowing users to change their own passwords. I am just not
sure what is the best/most common approach.
> I believe the ldap pam module is responsible for this
> Terry Inzauro
> -----Original Message-----
> From: Terrence Martin [mailto:firstname.lastname@example.org]
> Sent: Tuesday, August 26, 2003 4:49 PM
> Cc: openldap-software@OpenLDAP.org
> Subject: LDAP Auth and users changing their passwords
> I was wondering what people are using to allow users to change their
> passwords in the ldap directory when using ldap for authentication.
> My situation is that I want users to be able to change their Unix
> account passwords through a mechanism similar to the passwd(1) command
> but have those changes be reflected in the ldap database.
> Web or command line interface is fine.