[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy : managing passwords by another user than root



Hi Buchan,

I'm not trying to manage password policies through php. I just had a problem to give the rights of changing passwords to a user.
i figured it out now by modifying the acl's.

Here is a sample of my slapd.conf:
>>>>>>>>CUT<<<<<<<<<<<<<

# Default password policy
overlay         ppolicy
ppolicy_default cn=default,ou=policies,o=others,dc=domain,dc=tld
ppolicy_hash_cleartext
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

# The base of your directory in database #1
suffix          "dc=domain,dc=tld"

# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
# rootdn          "cn=admin,dc=domain,dc=tld"
rootdn  "cn=admin,dc=domain,dc=tld"
rootpw  {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

>>>>>>>CUT<<<<<<<<<<<<


# org1 administrators have all the rights on the subtree ou=Users,o=org1,dc=domain,dc=tld
access to dn.subtree="ou=Users,o=org1,dc=domain,dc=tld" attrs=userPassword,shadowLastChange
        by dn="cn=admin.org1,o=others,dc=domain,dc=tld" write
        by dn="cn=admin,dc=domain,dc=tld" write
        by dn="cn=syncrepluser,o=others,dc=domain,dc=tld" read
        by anonymous auth
        by self write
        by * none

access to dn.subtree="ou=Users,o=org1,dc=domain,dc=tld"
        by dn="cn=admin.org1,o=others,dc=domain,dc=tld" manage
        by dn="cn=admin,dc=domain,dc=tld" write
        by dn="cn=syncrepluser,o=others,dc=domain,dc=tld" read
        by anonymous read
        by * none

# org2 administrators have all the rights on the subtree ou=Users,o=org2,dc=domain,dc=tld
access to dn.subtree="ou=Users,o=org2,dc=domain,dc=tld" attrs=userPassword,shadowLastChange
        by dn="cn=admin.org2,o=others,dc=domain,dc=tld" write
        by dn="cn=admin,dc=domain,dc=tld" write
        by dn="cn=syncrepluser,o=others,dc=domain,dc=tld" read
        by anonymous auth
        by self write
        by * none

access to dn.subtree="ou=Users,o=org2,dc=domain,dc=tld"
        by dn="cn=admin.org2,o=others,dc=domain,dc=tld" manage
        by dn="cn=admin,dc=domain,dc=tld" write
        by dn="cn=syncrepluser,o=others,dc=domain,dc=tld" read
        by anonymous read
        by * none


####
access to attrs=userPassword,shadowLastChange
        by dn="cn=admin,dc=domain,dc=tld" write
        by dn="cn=auth,o=others,dc=domain,dc=tld" read
        by dn="cn=syncrepluser,o=others,dc=domain,dc=tld" read
        by anonymous auth
        by self write
        by * none


And my password policy :
ldapsearch -Wx -H ldaps://ldap.domain.tld -D cn=admin,dc=domain,dc=tld -b o=others,dc=domain,dc=tld cn=default
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <o=others,dc=domain,dc=tld> with scope subtree
# filter: cn=default
# requesting: ALL
#

# default, policies, others, domain.tld
dn: cn=default,ou=policies,o=others,dc=domain,dc=tld
pwdAttribute: userPassword
pwdLockout: TRUE
pwdLockoutDuration: 10800
pwdMaxFailure: 5
objectClass: pwdPolicy
objectClass: organizationalRole
cn: default
pwdAllowUserChange: TRUE
pwdMinLength: 8
pwdMaxAge: 15552000
pwdExpireWarning: 15120000
pwdCheckQuality: 2
pwdInHistory: 4

Now it works, sorry i should have provided you more information. I'll do it next time.

Regards,
Grifith


----- Mail Original -----
De: "Buchan Milne" <bgmilne@staff.telkomsa.net>
À: openldap-technical@openldap.org
Cc: "Smaïne Kahlouch" <smainklh@free.fr>
Envoyé: Vendredi 5 Février 2010 11h02:22 GMT +01:00 Amsterdam / Berlin / Berne / Rome / Stockholm / Vienne
Objet: Re: ppolicy : managing passwords by another user than root

On Monday, 1 February 2010 21:37:11 Smaïne Kahlouch wrote:
> Could somebody help me please ?

With what?

> I'm asking a last time then i would have to use my root account within
> my php code :/ (no secure at all)


Assuming your message is relevant to the subject of this thread, php is a dead 
end, as it has no password policy control. I have some perl scripts to manage 
password-policy changes.

Regards,
Buchan