[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How To set things up to allow users to change their passwords

To: Zdenek Styblik <stybla@turnovfree.net>
Subject: Re: How To set things up to allow users to change their passwords
From: Robert Heller <heller@deepsoft.com>
Date: Sat, 5 Dec 2009 14:49:29 -0500
Cc: Dieter Kluenter <dieter@dkluenter.de>, Robert Heller <heller@deepsoft.com>, openldap-technical@openldap.org
In-reply-to: <4B1AA956.8070505@turnovfree.net>
Organization: Deepwoods Software
References: <200912041655.nB4Gt5eD021822@sharky.deepsoft.com> <87iqcl96v5.fsf@rubin.avci.de> <200912051709.nB5H9rWJ011715@sharky.deepsoft.com> <4B1A9893.2020309@turnovfree.net> <200912051823.nB5INFUX012153@sharky.deepsoft.com> <4B1AA956.8070505@turnovfree.net>

At Sat, 05 Dec 2009 19:41:26 +0100 Zdenek Styblik <stybla@turnovfree.net> wrote:

> 
> Robert Heller wrote:
> > At Sat, 05 Dec 2009 18:29:55 +0100 Zdenek Styblik <stybla@turnovfree.net> wrote:
> > 
> >> Robert Heller wrote:
> >>> At Sat, 05 Dec 2009 09:12:46 +0100 "Dieter Kluenter" <dieter@dkluenter.de> wrote:
> >>>
> >>>> Robert Heller <heller@deepsoft.com> writes:
> >>>>
> >>>>> I have Openldap set up on a CentOS 5 system (using the stock 2.3.43
> >>>>> RPMS) and I want to allow users to change their passwords, but I am
> >>>>> confused by the documentation (it has both too much and not enough
> >>>>> information -- there don't appear to be simple HowTos for common setups).
> >>>> http://www.openldap.org/doc/admin24/slapdconfig.html
> >>>>  see section 6.3
> >>> OK, I have set this up, and with some poking around I have gained a
> >>> better unterstanding of what is going on.  I have another question:
> >>>
> >>> In the sample config it has an access control list that looks like:
> >>>
> >>> access to attrs=userPassword
> >>> 	by self write
> >>> 	by anonymous auth
> >>> 	by dn.base="cn=Admin,dc=example,dc=com" write
> >>> 	by * none
> >>>
> >>> Where does the password for "cn=Admin,dc=example,dc=com" exist?  Is this
> >>> something a add to slapd.config or insert into the database or ???
> >>>
> >> Evening,
> >>
> >> -- SNIP ---
> >> # cat /etc/openldap/slapd.conf
> >> ...
> >> rootdn		"cn=Manager,dc=domain,dc=tld"
> >> rootpw		{SSHA}blahBlahHash
> > 
> > It already has a rootdn/rootpw, much like the sample one 
> 
> Should we have a crystal ball? You haven't shown us a bit of your
> configs and expecting miracles?

Basically pretty much straight from section 6.3 of the Admin guide.

> Yes, I'm being rude. Yes, I found your question as a "basic know-how"
> thing. Also, whole thing can be studied in many books out there. And
> believe it, it's not that much to read.

I've *been* reading the admin guide.  It is just not clear to me.

> Also, if you are looking for some very specific how-to which is going to
> be tailored specially for you, I somewhat resigned on such ideas. But
> yeah, I'm no surprised. There are also Bubuntu, Debian, etc. how-tos
> [oh, well - google?].

I'm using CentOS (RHEL).

> If you don't want to waste time with setting up OpenLDAP, which you
> should if you're real about using it, then pay somebody. There are
> companies doing it for living.
> 
> >(in section
> > 6.3) for 'cn=Manager,dc=example,dc=com', the sample slapd.config has this also. 
> > The slapd.config in section 6.3 *ALSO* refers to the DN
> > "cn=Admin,dc=example,dc=com", which is *PRESUMABLY* separate from
> > "cn=Manager,dc=example,dc=com".  How do a specify a password for this
> > *OTHER* DN?  
> 
> You will use % slappasswd; to generate HASH password. Then, you will use
> % ldapadd; or % ldapmod;, to add new user entry with DN:
> 'cn=Admin,dc=example,dc=com'. Please, do read manual pages for those, or
> some books about LDIF.

I've read the docs, they just don't seem clear.  

> 
> > Or is the slapd.conf in section 6.3 just being gratiously
> > confusing for no good reason?  
> 
> Well, that's possible. It's been written by people. If there are
> mistakes, please, point them out (ideally with appropriate fixes), so
> they can be fixed/clarified. Yeah, Admin's guide isn't perfect. In a
> fact, some sections are missing, or lack information.
> 
> > I understand that the rootdn was write
> > access to everything, no matter what the ACLs say.  I presuming that the
> > ACL with "cn=Admin,dc=example,dc=com" is to allow someone else access to
> > updating accounts.  How do I set this other person's password?  Is this
> > in the database, slapd.conf or ldap.conf or someplace else?
> > 
> 
> Use % ldapmod;.
> 
> >> -----------
> >>
> >> Regards,
> >> Zdenek
> >>
> > 
> 
> Zdenek
> 

-- 
Robert Heller             -- 978-544-6933
Deepwoods Software        -- Download the Model Railroad System
http://www.deepsoft.com/  -- Binaries for Linux and MS-Windows
heller@deepsoft.com       -- http://www.deepsoft.com/ModelRailroadSystem/

Follow-Ups:
- Re: How To set things up to allow users to change their passwords
  - From: Zdenek Styblik <stybla@turnovfree.net>

References:
- How To set things up to allow users to change their passwords
  - From: Robert Heller <heller@deepsoft.com>
- Re: How To set things up to allow users to change their passwords
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: How To set things up to allow users to change their passwords
  - From: Robert Heller <heller@deepsoft.com>
- Re: How To set things up to allow users to change their passwords
  - From: Zdenek Styblik <stybla@turnovfree.net>
- Re: How To set things up to allow users to change their passwords
  - From: Robert Heller <heller@deepsoft.com>
- Re: How To set things up to allow users to change their passwords
  - From: Zdenek Styblik <stybla@turnovfree.net>

Prev by Date: Re: How To set things up to allow users to change their passwords
Next by Date: Re: How To set things up to allow users to change their passwords
Index(es):
- Chronological
- Thread