Hi,
I don't think you quite want that...
I think you want:
access: to attr=userPassword
by self write
by anonymous auth
by * none
access to *
by * read
You don't really want users to be able to change any attribute about
themselves...
Cheers,
Harry
m.roth2006@xxxxxxx wrote:
After days of googling and reading docs, threads, and playing all sorts of games, I've *finally* solved it.
Since three-quarters of everything I found ended with "so how the hell *do* you enable users to change their own passwords", and no answer, let me give the answers.
In /usr/local/etc/openldap/slapd.conf, the ACL is
<snip>
access: to attr=userPassword
by self =xw
by anonymous auth
access to *
by self write
by * read
<snip>
NOTE THAT EACH STANZA *MUST* END WITH A BLANK LINE.
Then, the magic incantation with ldappasswd, I wrapped with a tiny shell script, since ldappasswd *first* asks for the new password, then, as an afterthough, it asks for the current, like no password program I've ever seen. The wrapper is (and this assumes that your users are in the d/b under ou=people):
#!/bin/bash
thisuser=`whoami`
echo "About to update $thisuser's password"
echo
read -p "Current password: " -s opwd
echo
read -p "New password: " -s npwd
echo
ldappasswd -x -D cn=$thisuser,ou=people,dc=att,dc=com -w $opwd -s $npwd
Feel free to pass this on. Hope it keeps some of you from denting your cube walls as you try to deal with openldap.
mark "UMich? openldap? F, as in FLUNK"
--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list
