[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How To set things up to allow users to change their passwords

Robert Heller wrote:
> At Sat, 05 Dec 2009 18:29:55 +0100 Zdenek Styblik <stybla@turnovfree.net> wrote:
>> Robert Heller wrote:
>>> At Sat, 05 Dec 2009 09:12:46 +0100 "Dieter Kluenter" <dieter@dkluenter.de> wrote:
>>>> Robert Heller <heller@deepsoft.com> writes:
>>>>> I have Openldap set up on a CentOS 5 system (using the stock 2.3.43
>>>>> RPMS) and I want to allow users to change their passwords, but I am
>>>>> confused by the documentation (it has both too much and not enough
>>>>> information -- there don't appear to be simple HowTos for common setups).
>>>> http://www.openldap.org/doc/admin24/slapdconfig.html
>>>>  see section 6.3
>>> OK, I have set this up, and with some poking around I have gained a
>>> better unterstanding of what is going on.  I have another question:
>>> In the sample config it has an access control list that looks like:
>>> access to attrs=userPassword
>>> 	by self write
>>> 	by anonymous auth
>>> 	by dn.base="cn=Admin,dc=example,dc=com" write
>>> 	by * none
>>> Where does the password for "cn=Admin,dc=example,dc=com" exist?  Is this
>>> something a add to slapd.config or insert into the database or ???
>> Evening,
>> -- SNIP ---
>> # cat /etc/openldap/slapd.conf
>> ...
>> rootdn		"cn=Manager,dc=domain,dc=tld"
>> rootpw		{SSHA}blahBlahHash
> It already has a rootdn/rootpw, much like the sample one 

Should we have a crystal ball? You haven't shown us a bit of your
configs and expecting miracles?
Yes, I'm being rude. Yes, I found your question as a "basic know-how"
thing. Also, whole thing can be studied in many books out there. And
believe it, it's not that much to read.
Also, if you are looking for some very specific how-to which is going to
be tailored specially for you, I somewhat resigned on such ideas. But
yeah, I'm no surprised. There are also Bubuntu, Debian, etc. how-tos
[oh, well - google?].
If you don't want to waste time with setting up OpenLDAP, which you
should if you're real about using it, then pay somebody. There are
companies doing it for living.

>(in section
> 6.3) for 'cn=Manager,dc=example,dc=com', the sample slapd.config has this also. 
> The slapd.config in section 6.3 *ALSO* refers to the DN
> "cn=Admin,dc=example,dc=com", which is *PRESUMABLY* separate from
> "cn=Manager,dc=example,dc=com".  How do a specify a password for this
> *OTHER* DN?  

You will use % slappasswd; to generate HASH password. Then, you will use
% ldapadd; or % ldapmod;, to add new user entry with DN:
'cn=Admin,dc=example,dc=com'. Please, do read manual pages for those, or
some books about LDIF.

> Or is the slapd.conf in section 6.3 just being gratiously
> confusing for no good reason?  

Well, that's possible. It's been written by people. If there are
mistakes, please, point them out (ideally with appropriate fixes), so
they can be fixed/clarified. Yeah, Admin's guide isn't perfect. In a
fact, some sections are missing, or lack information.

> I understand that the rootdn was write
> access to everything, no matter what the ACLs say.  I presuming that the
> ACL with "cn=Admin,dc=example,dc=com" is to allow someone else access to
> updating accounts.  How do I set this other person's password?  Is this
> in the database, slapd.conf or ldap.conf or someplace else?

Use % ldapmod;.

>> -----------
>> Regards,
>> Zdenek


Zdenek Styblik
Net/Linux admin
OS TurnovFree.net
email: stybla@turnovfree.net
jabber: stybla@jabber.turnovfree.net