[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Auth and users changing their passwords



Ok I will try this.

This brings me to a further question. How does pam ldap authenticate the user to the ldap directory so that they can change their userPassword attribute? I am assuming that the user has to bind to the ldap directory via simple authentication and then is allowed to change only its password field?

Sorry if I am fishing a bit here, I am still trying to wrap my head around how the authentication is actually happening and how the process of updating entries in the directory should be accomplished. Preferably I would like to have each user authenticated to the directory in such a way to allow them to access only their entry for userPassword and be the only ones, besides the rootdn to be able to write to it.

Just in case here is an example entry in my directory for a user.

dn: uid=tmartin,ou=People,dc=physics,dc=ucsd,dc=edu
uid: tmartin
cn: tmartin
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}hashhashhashhash
shadowLastChange: 12270
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 5000
gidNumber: 5000
homeDirectory: /home/tmartin

I am authenticating fine to both my linux clients and my cyrus imap server. Now I am looking to nail down the who usermanagement issue. Part of that is allowing users to change their own passwords. I am just not sure what is the best/most common approach.

Terrence


Terry.Inzauro@infoUSA.com wrote:

I believe the ldap pam module is responsible for this



Terry Inzauro



-----Original Message-----
From: Terrence Martin [mailto:tmartin@physics.ucsd.edu]
Sent: Tuesday, August 26, 2003 4:49 PM
Cc: openldap-software@OpenLDAP.org
Subject: LDAP Auth and users changing their passwords


I was wondering what people are using to allow users to change their passwords in the ldap directory when using ldap for authentication.

My situation is that I want users to be able to change their Unix
account passwords through a mechanism similar to the passwd(1) command
but have those changes be reflected in the ldap database.

Web or command line interface is fine.

Terrence