[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access control - passwords and accounts

To: openldap-general@OpenLDAP.org
Subject: Re: Access control - passwords and accounts
From: David J N Begley <david@avarice.nepean.uws.edu.au>
Date: Sat, 13 Nov 1999 15:11:50 +1100 (EST)
In-reply-to: <Pine.LNX.4.20.9911120925150.14819-100000@marble.elanco.k12.pa.us>

On Fri, 12 Nov 1999, Kevin Myer wrote:

> First, I'd like to lock down the userPassword attribute as much as
> possible, so someone can't snoop around and harvest passwords.  However, I
> think I have a problem, in that pam_ldap and nss_ldap bind anonymously,
> when looking up user account information.

(I assume you're talking about PADL Software's pam_ldap and nss_ldap modules.)

pam_ldap binds anonymously to locate a user, but does not need access to the
userPassword attribute for authentication at this point;  upon finding the
user in the DIT, pam_ldap tries an authenticated bind using the DN and
password - this works.

nss_ldap, if configured to do so, will perform lookups anonymously;  if the
userPassword attribute is hidden, it will return a single "x" in pwent queries
(just like local shadow passwords).  This is generally the desired effect.

> The user and the admin can change the password but thats it.

That's "the desired effect".  ;-)

> I guess I could modify the config file for pam_ldap and nss_ldap to bind as
> manager.

Except the /etc/ldap.conf file needs to be world-readable - not a good idea to
have your directory server's admin DN/password in such a file.  ;-)

> Also, does granting write access to an attribute implicitly grant read
> access to it as well?

According to this:

  http://www.umich.edu/~dirsvcs/ldap/doc/guides/slapd/5.html#RTFToC31

yes.

> Secondly, is there any way to lock down on which machines a user account
> is active?

According to the pam_ldap README:

  Supports access authorization on the "host" attribute of the
  account objectclass...

The "account" object class is defined in RFC 1274.  See the _host_ok()
function in pam_ldap.

> Finally, I need to come up with something simple to allow users to change
> their passwords, via a web interface.  What would be the recommendations
> there - PHP, cgi script or ???

The recommendation is, whatever suits your current environment and what's
comfortable with you (seriously);  some sites prefer Python, others Perl.
There's no need to install PHP (for example) just for this one task.  Any
language/environment that can talk directly to an LDAP server oughtta be fine.

Cheers..

dave

References:
- Access control - passwords and accounts
  - From: "Kevin Myer" <kevin_myer@elanco.k12.pa.us>

Prev by Date: Re: Access control - passwords and accounts
Next by Date: Re: Create login account in NDS via LDAP
Index(es):
- Chronological
- Thread