[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [pamldap] A way around self write shadowLastChange?




The openldap group actually points this type of question to the padl or pam type groups because it is specific to authentication using pam.  

In looking at this solution I notice that it contradicts one thing I had been told.  I believe I was told that a user or self must have write access to the password attribute and to the shadowLastChange attribute.  Thus I have configured the following:

access to dn=".*,MyDomain" attr=shadowLastChange
        by dn="cn=Manager,MyDomain" write
        by self write
        by * read

access to dn=".*,MyDomain" attr=userPassword
        by dn="cn=Manager,MyDomain" write
        by self write
        by * read

access to dn=".*,MyDomain"
        by self write
        by users auth
        by * read

Are you saying that perhaps I can replace the first stanza with the stanza you provided below?

Thanks!
Eric Sammons
(804)697-3925
FRIT - Unix Systems



Jules Agee <julesa@pcf.com>

01/14/2004 04:03 PM

       
        To:        Eric.Sammons@frit.frb.org
        cc:        
        Subject:        Re: [pamldap] A way around self write shadowLastChange?


This is more of a subject for the OpenLDAP lists.

That being said, you can set these parameters with an entry in your
OpenLDAP server's slapd.conf, something like this:

access to attr=uidnumber,gidnumber,homeDirectory,shadowLastChange
                by * read
                by * compare
                by dn="LDAPManagerDN" write
                by dn="LDAPManagerDN" read

See the LDAP admin guide at openldap.org for more details.

-Jules

Eric.Sammons@frit.frb.org wrote:
>
> In implementing OpenLdap in my Linux environment and making use of the
> shadow attributes to enforce password expiration and force password
> change I have found concerns with the fact that self appears to have to
> have write access to the shadowLastChange attribute.  Several of my
> users are at least somewhat ldap savvy so they in fact could make so
> that they never have to change their password.  
>
> Is there a way around giving self write access to this attribute?  Is
> there a better implementation of LDAP and PAM as a central
> password/shadow/group repository used for authenticating Unix users;
> keeping in mind that password / shadow policies must be enforced?
>
> Thanks!
> Eric Sammons
> FRIT - Unix Systems


--
Jules Agee
System Administrator
Pacific Coast Feather Co.
julesa@pcf.com      x284