Re: openLDAP and user passwords

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I don't think you quite want that...

I think you want:
access: to attr=userPassword
	by self write
	by anonymous auth
	by * none

access to *
	by * read

You don't really want users to be able to change any attribute about themselves...

Cheers,
Harry


m.roth2006@xxxxxxx wrote:
After days of googling and reading docs, threads, and playing all sorts of games, I've *finally* solved it.

Since three-quarters of everything I found ended with "so how the hell *do* you enable users to change their own passwords", and no answer, let me give the answers.

In /usr/local/etc/openldap/slapd.conf, the ACL is
<snip>
 access: to attr=userPassword
        by self =xw
        by anonymous auth

 access to *
        by self write
        by * read

<snip>
NOTE THAT EACH STANZA *MUST* END WITH A BLANK LINE.

Then, the magic incantation with ldappasswd, I wrapped with a tiny shell script, since ldappasswd *first* asks for the new password, then, as an afterthough, it asks for the current, like no password program I've ever seen. The wrapper is (and this assumes that your users are in the d/b under ou=people):

#!/bin/bash

thisuser=`whoami`
echo "About to update $thisuser's password"
echo
read -p "Current password: " -s opwd
echo
read -p "New password: " -s npwd
echo
ldappasswd -x -D cn=$thisuser,ou=people,dc=att,dc=com -w $opwd -s $npwd

Feel free to pass this on. Hope it keeps some of you from denting your cube walls as you try to deal with openldap.

   mark "UMich? openldap? F, as in FLUNK"


--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux