[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How to let users change their passwords?

On 26/07/2010, at 5:56 AM, Zdenek Styblik wrote:

> Hash: SHA1
> On 07/23/10 22:49, Steven Truong wrote:
>> Dear, all.  I have been searching low and high for a tool that can let
>> users to change their passwords in 389 DS or OpenLDAP?  I think there
>> is a real need for such a tool and I hope that people already wrote
>> such a tool...
>> Please share your ways of how you allow your users to change their
>> passwords or other setup/architecture that allow this function.
>> Beside that, I also recommend Apache Studio as a great tool to work
>> with LDAP servers.....
>> Thank you in advance.
> Uh, doesn't Apache Studio allow that? % ldapmodify;, % passwd; via PAM
> (ldap-padl sadly doesn't), via web application, ...
> I don't mean to be rude or whatever, but if you're looking for ultimate
> answer, there is none.
> I've scripted web application (not only) for such purpose. I was
> thinking about modifying ldap-padl, but it would take years with my C
> skills and there are (always) tasks with higher priority.

As i understand it, in padl_ldap with the pam_ldap.so module, if you set "pam_password exop" in nss_ldap.conf, it allows the passwd utility to modify the password on the command line. At my other place of work, we have a series of webservices that use php to modify the ldap password. 

Also, if you run a samba domain from your ldap system, the smbpasswd utility will update both the ldap and the smb password attributes in a single shot, and i plan to write a webapplication that uses this in the future as i maintain a samba pdc with an ldap backend. 

I think it may come down to a custom job that you need to implement and code yourself, even if it is just a simple script. The outline of it is

1) Have a user prove they are who they say they are (check their current password)
2) As the bind from step one, that gives them the write permission to their own password attribute
3) Update the password
4) Unbind

If you want an automated password reset, you likely want to have a "manager" application that has write to you user tree, and when a user requests a password change, you can have the "manager" reset to a random password, and then send the new password to your user via their mail: attribute. 

I hope this helps you 

PS - i find the python ldap libraries fantastic if you want to make a CLI tool.

> Regards,
> Zdenek
> - -- 
> Zdenek Styblik
> Net/Linux admin
> OS TurnovFree.net
> email: stybla@turnovfree.net
> jabber: stybla@jabber.turnovfree.net
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> XGEAniV1QkVFhi4GsDxZl0uaVPbclgDa
> =Er7U