[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: using -W/-w <binddnpasswd>



Thanks a lot for the detailed description.

Still I havent got it working. Following is my slapd.conf:
-------------------------------------------------------
include		/usr/local/etc/openldap/slapd.at.conf
include		/usr/local/etc/openldap/slapd.oc.conf
schemacheck	on

database ldbm
suffix "o=3com, c=us"
rootdn "o=3com, c=us"
rootpw password

access to *
       by self  write
       by *     none
--------------------------------------------------------

THE COMMAND I TRIED WAS:
ldappasswd -v -w a  -b "cn=Cibu Johny, o=3com, c=us" -h <ip addr of slapd server> "cn=*"

IT GAVE FOLLOWING ERROR MESSAGE: ('a' was the password set)

New password:
Re-enter new password:
cn=Cibu Johny, o=3com, c=us
ldap_modify: Insufficient access
--------------------------------------------------------

BUT WITH FOLLOWING ACL CHANGE, ldappasswd CHANGES PASSWORD:
--------------------------------------------------------
access to *
       by self  write
       by *     write
--------------------------------------------------------

But it does not require -w flag. So what I dont understand is how does slapd
recognizes the 'self'.


Thanks,
Cibu






nazard@dragoninc.on.ca <nazard@dragoninc.on.ca>  wrote --

> Those two options are used to specify the credentials passed to the
> ldap server. -W prompts you for the password and -w specifies one on
> the command line.
> 
> Now, to authenticate users to need to add a few access options to your
> slapd.conf file. For example, to allow access to certain attributes by
> certain people only use something like this
> 
> access to dn=".*,ou=People,dc=dragoninc,dc=on,dc=ca" 
> attr=userpassword,ntpassword,lmpassword
>         by dn="uid=root,ou=People,dc=dragoninc,dc=on,dc=ca" write
>         by * none
> 
> to change the default permission to disallow everyone, use
> 
> defaultaccess none
> 
> 
> ACL's are checked top to bottom, so be careful of the order.
> 
> 
> Now to configure an entry to have a password, you need to create an
> userpassword attribute. The format is
> 
>         {crypt}standard unix encrypted password
> and/or
>         {md5}md5 hash of the password
> and/or
>         {sha1}sha1 hash of the password
> 
> note that the {} portion is actual text and required. So the password
> "password" would be something like
> 
>         {crypt}MRZzirkQbIFEk
> or
>         {md5}5f4dcc3b5aa765d61d8327deb882cf99
-- 
-------------------------------------------------------
 3com Corp.                     Off: 847-797-2954 [USA]
 Cibu_Johny@mw.3com.com         Res: 847-357-1041 [USA]
 http://CibuCJ.tripod.com       Mob: 847-287-9604 [USA]
-------------------------------------------------------