[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How To set things up to allow users to change their passwords

At Sat, 05 Dec 2009 21:12:14 +0100 Zdenek Styblik <stybla@turnovfree.net> wrote:

> 
> Robert Heller wrote:
> > At Sat, 05 Dec 2009 19:41:26 +0100 Zdenek Styblik <stybla@turnovfree.net> wrote:
> > 
> >> Robert Heller wrote:
> >>> At Sat, 05 Dec 2009 18:29:55 +0100 Zdenek Styblik <stybla@turnovfree.net> wrote:
> >>>
> >>>> Robert Heller wrote:
> >>>>> At Sat, 05 Dec 2009 09:12:46 +0100 "Dieter Kluenter" <dieter@dkluenter.de> wrote:
> >>>>>
> >>>>>> Robert Heller <heller@deepsoft.com> writes:
> >>>>>>
> >>>>>>> I have Openldap set up on a CentOS 5 system (using the stock 2.3.43
> >>>>>>> RPMS) and I want to allow users to change their passwords, but I am
> >>>>>>> confused by the documentation (it has both too much and not enough
> >>>>>>> information -- there don't appear to be simple HowTos for common setups).
> >>>>>> http://www.openldap.org/doc/admin24/slapdconfig.html
> >>>>>>  see section 6.3
> >>>>> OK, I have set this up, and with some poking around I have gained a
> >>>>> better unterstanding of what is going on.  I have another question:
> >>>>>
> >>>>> In the sample config it has an access control list that looks like:
> >>>>>
> >>>>> access to attrs=userPassword
> >>>>> 	by self write
> >>>>> 	by anonymous auth
> >>>>> 	by dn.base="cn=Admin,dc=example,dc=com" write
> >>>>> 	by * none
> >>>>>
> >>>>> Where does the password for "cn=Admin,dc=example,dc=com" exist?  Is this
> >>>>> something a add to slapd.config or insert into the database or ???
> >>>>>
> >>>> Evening,
> >>>>
> >>>> -- SNIP ---
> >>>> # cat /etc/openldap/slapd.conf
> >>>> ...
> >>>> rootdn		"cn=Manager,dc=domain,dc=tld"
> >>>> rootpw		{SSHA}blahBlahHash
> >>> It already has a rootdn/rootpw, much like the sample one 
> >> Should we have a crystal ball? You haven't shown us a bit of your
> >> configs and expecting miracles?
> > 
> > Basically pretty much straight from section 6.3 of the Admin guide.
> > 
> 
> Well, ok then. Btw you're reading guide for 2.4.x (and you have 2.3.x).

Yes, I know.

> Anyway. Yes, 'Admin' entry != Manager entry. It's probably been added
> later by 3rd application, or using % slapadd; or % slapmod;
> It's example how to grant permissions to attributes.

This was just not stated in the admin documentation.

> 
> >> Yes, I'm being rude. Yes, I found your question as a "basic know-how"
> >> thing. Also, whole thing can be studied in many books out there. And
> >> believe it, it's not that much to read.
> > 
> > I've *been* reading the admin guide.  It is just not clear to me.
> > 
> >> Also, if you are looking for some very specific how-to which is going to
> >> be tailored specially for you, I somewhat resigned on such ideas. But
> >> yeah, I'm no surprised. There are also Bubuntu, Debian, etc. how-tos
> >> [oh, well - google?].
> > 
> > I'm using CentOS (RHEL).
> > 
> 
> This is not Windows. This is world of GNU/Linux. I'm just surprised by
> assumption (usually employer's vision) you have to know some
> distribution inside and out to be able to administer it. It's GNU/Linux
> and it doesn't matter if it's called CentOS, Fedora, Bubuntu, Gentoo or
> what not.

I've been using and admining Linux since kernel version 0.99 (an early
Slackware release, installed from a shoebox full of floppies).  I've
been using RedHat from RH 4.2 (not RHEL4!) through RH 9 (skipping RH 8),
WBL 3.0, and CentOS 4.x and CentOS 5.x.  *I've* *never* used MS-Windows.

The thing is, I in fact have OpenLDAP up and running just fine and
everything works, except there is just the lack of something to allow
users to change their passwords.  That is the only thing I am having
trouble with.  And the only thing that does not seem to be well covered
in the admin guide.

> I'm not going to google for you, sorry. If there is no specific how-to
> for CentOS, which I almost fail to believe, then improvise. Read how-to

There is a set of docs for RHEL (same thing as CentOS).  They just lack
explaining how to set things up to allow users to change their own
passwords.  I followed this doc to get OpenLDAP up and running.

> for other distro and put pieces together. I presume you know how to
> install packages in CentOS, don't you? You should be able to handle the
> rest. I can imagine only location of files and text editor used will differ.

I have been googling, but not getting all that useful results.  The
latest is a reference to a book 'OpenLDAP by Example', which the ACM
claims exists, but Amazon does not carry (not even listed as
out-of-print).

> 
> >> If you don't want to waste time with setting up OpenLDAP, which you
> >> should if you're real about using it, then pay somebody. There are
> >> companies doing it for living.
> >>
> >>> (in section
> >>> 6.3) for 'cn=Manager,dc=example,dc=com', the sample slapd.config has this also. 
> >>> The slapd.config in section 6.3 *ALSO* refers to the DN
> >>> "cn=Admin,dc=example,dc=com", which is *PRESUMABLY* separate from
> >>> "cn=Manager,dc=example,dc=com".  How do a specify a password for this
> >>> *OTHER* DN?  
> >> You will use % slappasswd; to generate HASH password. Then, you will use
> >> % ldapadd; or % ldapmod;, to add new user entry with DN:
> >> 'cn=Admin,dc=example,dc=com'. Please, do read manual pages for those, or
> >> some books about LDIF.
> > 
> > I've read the docs, they just don't seem clear.  
> > 
> 
> I've just described you whole process. What exactly isn't clear?

Oh, I understand your explation above, but your explaination is not in
the admin guide -- in its example slapd.config section it makes no
reference to where things are coming from.  This seems like a problem
with the manual on some level.

> btw Why don't you use some 3rd application like eg. Apache's Directory
> studio? I'm pretty sure I'd make things easier (and faster) for you.

I don't need a heavyweight application and I would prefer something that
is installed from a CentOS/RHEL repository, rather than installed from
source -- that is something under the O/S's package management system.

> 
> >>> Or is the slapd.conf in section 6.3 just being gratiously
> >>> confusing for no good reason?  
> >> Well, that's possible. It's been written by people. If there are
> >> mistakes, please, point them out (ideally with appropriate fixes), so
> >> they can be fixed/clarified. Yeah, Admin's guide isn't perfect. In a
> >> fact, some sections are missing, or lack information.
> >>
> >>> I understand that the rootdn was write
> >>> access to everything, no matter what the ACLs say.  I presuming that the
> >>> ACL with "cn=Admin,dc=example,dc=com" is to allow someone else access to
> >>> updating accounts.  How do I set this other person's password?  Is this
> >>> in the database, slapd.conf or ldap.conf or someplace else?
> >>>
> >> Use % ldapmod;.
> >>
> >>>> -----------
> >>>>
> >>>> Regards,
> >>>> Zdenek
> >>>>
> >> Zdenek
> >>
> > 
> 
> Zdenek
> 

-- 
Robert Heller             -- 978-544-6933
Deepwoods Software        -- Download the Model Railroad System
http://www.deepsoft.com/  -- Binaries for Linux and MS-Windows
heller@deepsoft.com       -- http://www.deepsoft.com/ModelRailroadSystem/