[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Auth and users changing their passwords

Terry.Inzauro@infoUSA.com wrote:

You are partly correct. The credentials that you setup in the /etc/ldap.conf serve as the user and passwd to bind to the dlap server as. Having said that, the user doesn't really change his passwd, the user that pam binds (setup in /etc/ldap.conf) does. This structure allows for having thousands of entries and only a few update permissions to setup. If you are having issues with users not being able to update their passwds, verify that the

binding user has write privs to the directory.

Usually this is a user aside from the admin.

Ok but is this at all secure? To me this is looking a lot like putting a root password in a file and crossing my fingers no one will read it.

Don't credentials placed in the /etc/ldap.conf file that are used to bind to the directory essentially open up the directory for arbitrary writing/reading by anyone with root on the client? While this might be suitable on tightly controlled client I would like to have lab machines and even systems that have shared root access to use the ldap server for authentication. There has to be another way that does not place so much trust in clients.

The Oreilly ldap book has an example of an ACL that will allow users to change the userPassword attribute only if they authenticate.

access to *
   by * read

access to attrs=userPassword
   by self write
   by * auth

Unfortunately the book is kinda vague on how exactly the user is getting authenticated to the directory and how the bind is occuring. I am assuming that the user themselves are binding to the ldap directory and not via a super users or administrator dn.

So my next question is how (if it is even possible) do you modify /etc/ldap.conf so that when a user authenticates to a system via pam that system binds to the ldap directory using that users dn and password rather than an administrative level dn? Preferably I would like users to only be able to read and write the userPassword entry. Otherwise I have the same problem that NIS suffers from where anyone with ypcat can get access to the hashes.

It seems like something that should be possible...

As an aside I have authentication working currently with anonymous binds as that is the default just to make sure everything is working. I am also using TLS so turning up security as high as I can is my next step.


you also may wich to take a look at the nice little tool called ldappasswd. I believe you can use this to change directory passwds. However I am uncertain if this is the way to go.

Go Linux!

Terry Inzauro

-----Original Message-----
From: Terrence Martin [mailto:tmartin@physics.ucsd.edu]
Sent: Tuesday, August 26, 2003 5:26 PM
To: Terry.Inzauro@infoUSA.com; openldap-software@OpenLDAP.org
Subject: Re: LDAP Auth and users changing their passwords

Ok I will try this.

This brings me to a further question. How does pam ldap authenticate the
user to the ldap directory so that they can change their userPassword
attribute? I am assuming that the user has to bind to the ldap directory
via simple authentication and then is allowed to change only its
password field?

Sorry if I am fishing a bit here, I am still trying to wrap my head
around how the authentication is actually happening and how the process
of updating entries in the directory should be accomplished. Preferably
I would like to have each user authenticated to the directory in such a
way to allow them to access only their entry for userPassword and be the
only ones, besides the rootdn to be able to write to it.

Just in case here is an example entry in my directory for a user.

dn: uid=tmartin,ou=People,dc=physics,dc=ucsd,dc=edu
uid: tmartin
cn: tmartin
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}hashhashhashhash
shadowLastChange: 12270
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 5000
gidNumber: 5000
homeDirectory: /home/tmartin

I am authenticating fine to both my linux clients and my cyrus imap
server. Now I am looking to nail down the who usermanagement issue. Part
of that is allowing users to change their own passwords. I am just not
sure what is the best/most common approach.


Terry.Inzauro@infoUSA.com wrote:

> I believe the ldap pam module is responsible for this
> Terry Inzauro
> -----Original Message-----
> From: Terrence Martin [mailto:tmartin@physics.ucsd.edu]
> Sent: Tuesday, August 26, 2003 4:49 PM
> Cc: openldap-software@OpenLDAP.org
> Subject: LDAP Auth and users changing their passwords
> I was wondering what people are using to allow users to change their
> passwords in the ldap directory when using ldap for authentication.
> My situation is that I want users to be able to change their Unix
> account passwords through a mechanism similar to the passwd(1) command
> but have those changes be reflected in the ldap database.
> Web or command line interface is fine.
> Terrence