Re: How to create encrypted password via command line

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Anne Moore wrote:

Thanks, Nigel. I'll give it a shot today and see what happens.
Anne 
-----Original Message-----
From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx]
On Behalf Of Nigel Wade
Sent: Friday, September 14, 2007 4:25 AM
To: General Red Hat Linux discussion list
Subject: Re: How to create encrypted password via command line

Anne Moore wrote:
<<Has slapd.conf been configured to allow users write permission to their passwords?>>
Hmmm, well good question! I checked through the file but could not determine what should be enabled for that. Do you know what it would take to do enable user to have write permission to their passwords? 

Thanks!



The specifics are totally dependent on your slapd.conf ACLs. The order of
the ACLs is highly significant and just inserting a new ACL can render later
ACLs useless. Getting this one wrong can render your LDAP authentication
scheme useless, or wide open for anyone to read your entire password
database.

What you need is something *like* this, fairly high up in the ACL tree:

access to dn.subtree="dc=your root" attrs=userPassword
         by self write
         by dn="uid=<rootbinddn>,dc=your root" write
         by anonymous auth
         by * none


One way to test it is to try changing a users password using ldappasswd,
binding as that user with their existing password. ldappasswd is part of the
openldap-client package.
I should have added to this that there must surely be an ACL of this form somewhere in slapd.conf. The "by anonymous auth" part is required to allow authentication by binding, which is what nss_ldap does. If you can authenticate logins by nss_ldap then I'm pretty sure anonymous auth has to be enabled in slapd.conf. 

The line:

dn="uid=<rootbinddn>,dc=your root" write
allows root to change a users password using passwd/nss_ldap. The dn is what you specified as rootbinddn in /etc/ldap.conf. 

--
Nigel Wade, System Administrator, Space Plasma Physics Group,
            University of Leicester, Leicester, LE1 7RH, UK
E-mail :    nmw@xxxxxxxxxxxx
Phone :     +44 (0)116 2523548, Fax : +44 (0)116 2523555

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]

  Powered by Linux