[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Allowing users to update their passwords

To: Kartik Vashishta <kartik.unix@gmail.com>
Subject: Re: Allowing users to update their passwords
From: Andrew Findlay <andrew.findlay@skills-1st.co.uk>
Date: Tue, 13 Oct 2015 11:22:12 +0100
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <20151013090201.416b7c4f@pink.avci.de>
References: <CAJFC5W2+f=qU6jRb0faicGaDFycJrFe1CTVrAq4eD_G9oQy=EQ@mail.gmail.com> <20151013090201.416b7c4f@pink.avci.de>
User-agent: Mutt/1.5.21 (2010-09-15)

On Tue, Oct 13, 2015 at 09:02:01AM +0200, Dieter Klünter wrote:

> Am Mon, 12 Oct 2015 16:13:18 -0500
> schrieb Kartik Vashishta <kartik.unix@gmail.com>:
> 
> > Team,
> > 
> > I am not anything but new to ldap. I have however successfully
> > installed and configured Openldap on CentOS7. Online material was a
> > BIG help.
> > 
> > I am trying to figure out how to allow users to change their own
> > passwords.
> > 
> > Googling pointed me out to this:
> > access to attrs=userPassword
> >         by self write
> >         by anonymous auth
> >         by users none
> > 
> > access to * by * read
> > 
> > But where and how does this get input into the ldap db. There is no
> > more a slapd.conf.
> 
> slapd-config(5)

Also
http://www.openldap.org/doc/admin24/access-control.html#Access%20Control%20via%20Dynamic%20Configuration

I would suggest changing the access list:

olcAccess: to attrs=userPassword
           by self =wx
           by anonymous auth
           by * none
olcAccess: to * by * read

The important change is the 'self' access. If you use 'write' then you are also
granting read access, so someone who gets control of an authenticated session
would be able to read the user's password. By using =w or =wx you allow
passwords to be changed and to be used in authentication, but you prevent them
being read.

You will need to search your config to find the appropriate entry to add the
above values to. It will be something like olcDatabase=mdb,cn=config

You should also configure a strong hash function for passwords, and ideally you
should install a password policy overlay to enforce password hashing.
The choice of hash function depends on the libraries available in your
operating system. SSHA is always available but is very weak in the face of a
password cracker. The Linux/FreeBSD/OpenBSD '$1$' '$6$' and '$2a$' hashes are
very much stronger. Config looks like this:

olcPasswordHash: {CRYPT}
olcPasswordCryptSaltFormat: "$6$%.12s"

It should be added to the olcDatabase=frontend,cn=config entry.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------

References:
- Allowing users to update their passwords
  - From: Kartik Vashishta <kartik.unix@gmail.com>
- Re: Allowing users to update their passwords
  - From: Dieter Klünter <dieter@dkluenter.de>

Prev by Date: Re: Allowing users to update their passwords
Next by Date: OpenLDAP as a Caching Proxy server
Index(es):
- Chronological
- Thread