[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: How To set things up to allow users to change their passwords

> Sent: Monday, December 07, 2009 3:53 AM
> To: openldap-technical@openldap.org
> Cc: Serge Fonville; Robert Heller
> Subject: Re: How To set things up to allow users to change their
> passwords
> On Sunday, 6 December 2009 15:49:58 Robert Heller wrote:
> > At Sun, 6 Dec 2009 02:13:28 +0100 Serge Fonville <serge.fonville@gmail.com> wrote:
> > > On Fri, Dec 4, 2009 at 5:55 PM, Robert Heller <heller@deepsoft.com> wrote:
> > > > I have Openldap set up on a CentOS 5 system (using the stock 2.3.43
> > > > RPMS) and I want to allow users to change their passwords, but I am
> > > > confused by the documentation (it has both too much and not enough
> > > > information -- there don't appear to be simple HowTos for common
> > > > setups).
> > >
> Your PAM configuration should have been updated (if you used authconfig
> or
> similar) to change passwords via LDAP, so 'passwd' as an LDAP user
> should
> work.

More specifically, and to hopefully end this thread, look in libnss-ldap.conf and/or pam_ldap.conf at the pam_password attribute (and setup pam for ldap, plenty of well written docs on that online).
Set it to exop for slapd to take the plaintext from the passwd command and encrypt with whatever your slapd.conf says to use for userpassword (default ssha, set via password-hash) and update the ldap tree (and follow any policy guidelines if you use ppolicy overlay). If you instead did go the route of a cgi/php page, you can comment out pam-passwd and set pam_password_prohibit_message to its url to send users there.

the Admin entry is probably just an example for some "admin" user created for an app/other user to change passwords for users. slapd doesn’t auto create entries unless an overlay or config item tells it to, even the cn=manager,<BASE-DN> entry is "created" from your slapd.conf file (rootdn/rootpw)