[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAP Auth and users changing their passwords



Title: RE: LDAP Auth and users changing their passwords

The passwd in /etc/ldap.conf is always encrypted.  So yes it is available to all users with root privs, however, who has root access that is not trusted to be in the directory. Furthermore, the user that the ldap client binds to the server as should be treated with more importance that a local root account.  Keep in mind that this person should be seperate from root and has control over everyone's user accounts that he was given responsibility over by access directeves in slapd.conf.  The other way around this would to setup access rules in slapd.conf for all users......eew!


It's all about privledge separation and role playing.

Terry Inzauro

-----Original Message-----
From: Terrence Martin [mailto:tmartin@physics.ucsd.edu]
Sent: Tuesday, August 26, 2003 6:19 PM
To: Terry.Inzauro@infoUSA.com
Cc: openldap-software@OpenLDAP.org
Subject: Re: LDAP Auth and users changing their passwords


Terry.Inzauro@infoUSA.com wrote:

> You are partly correct.  The credentials that you setup in the
> /etc/ldap.conf serve as the user and passwd to bind to the dlap server
> as.  Having said that, the user doesn't really change his passwd, the
> user that pam binds (setup in /etc/ldap.conf) does.  This structure
> allows for having thousands of entries and only a few update
> permissions to setup.  If you are having issues with users not being
> able to update their passwds, verify that the
>
> binding user has write privs to the directory.
>
> Usually this is a user aside from the admin.
>
Ok but is this at all secure? To me this is looking a lot like putting a
root password in a file and crossing my fingers no one will read it.

Don't credentials placed in the /etc/ldap.conf file that are used to
bind to the directory essentially open up the directory for arbitrary
writing/reading by anyone with root on the client? While this might be
suitable on tightly controlled client I would like to have lab machines
and even systems that have shared root access to use the ldap server for
authentication. There has to be another way that does not place so much
trust in clients.

The Oreilly ldap book has an example of an ACL that will allow users to
change the userPassword attribute only if they authenticate.

access to *
    by * read

access to attrs=userPassword
    by self write
    by * auth

Unfortunately the book is kinda vague on how exactly the user is getting
authenticated to the directory and how the bind is occuring. I am
assuming that the user themselves are binding to the ldap directory and
not via a super users or administrator dn.

So my next question is how (if it is even possible) do you modify
/etc/ldap.conf so that when a user authenticates to a system via pam
that system binds to the ldap directory using that users dn and password
rather than an administrative level dn? Preferably I would like users to
only be able to read and write the userPassword entry. Otherwise I have
the same problem that NIS suffers from where anyone with ypcat can get
access to the hashes.

It seems like something that should be possible...

As an aside I have authentication working currently with anonymous binds
as that is the default just to make sure everything is working. I am
also using TLS so turning up security as high as I can is my next step.

Terrence

> you also may wich to take a look at the nice little tool called
> ldappasswd.  I believe you can use this to change directory passwds. 
> However I am uncertain if this is the way to go.
>
>
> Go Linux!
>
> Terry Inzauro
>
>
>
> -----Original Message-----
> From: Terrence Martin [mailto:tmartin@physics.ucsd.edu]
> Sent: Tuesday, August 26, 2003 5:26 PM
> To: Terry.Inzauro@infoUSA.com; openldap-software@OpenLDAP.org
> Subject: Re: LDAP Auth and users changing their passwords
>
>
> Ok I will try this.
>
> This brings me to a further question. How does pam ldap authenticate the
> user to the ldap directory so that they can change their userPassword
> attribute? I am assuming that the user has to bind to the ldap directory
> via simple authentication and then is allowed to change only its
> password field?
>
> Sorry if I am fishing a bit here, I am still trying to wrap my head
> around how the authentication is actually happening and how the process
> of updating entries in the directory should be accomplished. Preferably
> I would like to have each user authenticated to the directory in such a
> way to allow them to access only their entry for userPassword and be the
> only ones, besides the rootdn to be able to write to it.
>
> Just in case here is an example entry in my directory for a user.
>
> dn: uid=tmartin,ou=People,dc=physics,dc=ucsd,dc=edu
> uid: tmartin
> cn: tmartin
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> objectClass: shadowAccount
> userPassword: {crypt}hashhashhashhash
> shadowLastChange: 12270
> shadowMax: 99999
> shadowWarning: 7
> loginShell: /bin/bash
> uidNumber: 5000
> gidNumber: 5000
> homeDirectory: /home/tmartin
>
> I am authenticating fine to both my linux clients and my cyrus imap
> server. Now I am looking to nail down the who usermanagement issue. Part
> of that is allowing users to change their own passwords. I am just not
> sure what is the best/most common approach.
>
> Terrence
>
>
> Terry.Inzauro@infoUSA.com wrote:
>
> > I believe the ldap pam module is responsible for this
> >
> >
> >
> > Terry Inzauro
> >
> >
> >
> > -----Original Message-----
> > From: Terrence Martin [mailto:tmartin@physics.ucsd.edu]
> > Sent: Tuesday, August 26, 2003 4:49 PM
> > Cc: openldap-software@OpenLDAP.org
> > Subject: LDAP Auth and users changing their passwords
> >
> >
> > I was wondering what people are using to allow users to change their
> > passwords in the ldap directory when using ldap for authentication.
> >
> > My situation is that I want users to be able to change their Unix
> > account passwords through a mechanism similar to the passwd(1) command
> > but have those changes be reflected in the ldap database.
> >
> > Web or command line interface is fine.
> >
> > Terrence
> >
>