[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [pamldap] A way around self write shadowLastChange?

To: Jules Agee <julesa@pcf.com>
Subject: Re: [pamldap] A way around self write shadowLastChange?
From: Eric.Sammons@frit.frb.org
Date: Wed, 14 Jan 2004 16:14:22 -0500
Cc: pamldap@padl.com, openldap-software@OpenLDAP.org
In-reply-to: <4005AEA2.6050401@pcf.com>

The openldap group actually points this type of question to the padl or pam type groups because it is specific to authentication using pam.

In looking at this solution I notice that it contradicts one thing I had been told. I believe I was told that a user or self must have write access to the password attribute and to the shadowLastChange attribute. Thus I have configured the following:

access to dn=".*,MyDomain" attr=shadowLastChange
by dn="cn=Manager,MyDomain" write
by self write
by * read

access to dn=".*,MyDomain" attr=userPassword
by dn="cn=Manager,MyDomain" write
by self write
by * read

access to dn=".*,MyDomain"
by self write
by users auth
by * read

Are you saying that perhaps I can replace the first stanza with the stanza you provided below?

Thanks!
Eric Sammons
(804)697-3925
FRIT - Unix Systems

Jules Agee <julesa@pcf.com>

01/14/2004 04:03 PM

To: Eric.Sammons@frit.frb.org
cc:
Subject: Re: [pamldap] A way around self write shadowLastChange?

This is more of a subject for the OpenLDAP lists. That being said, you can set these parameters with an entry in your OpenLDAP server's slapd.conf, something like this: access to attr=uidnumber,gidnumber,homeDirectory,shadowLastChange by * read by * compare by dn="LDAPManagerDN" write by dn="LDAPManagerDN" read See the LDAP admin guide at openldap.org for more details. -Jules Eric.Sammons@frit.frb.org wrote: > > In implementing OpenLdap in my Linux environment and making use of the > shadow attributes to enforce password expiration and force password > change I have found concerns with the fact that self appears to have to > have write access to the shadowLastChange attribute. Several of my > users are at least somewhat ldap savvy so they in fact could make so > that they never have to change their password. > > Is there a way around giving self write access to this attribute? Is > there a better implementation of LDAP and PAM as a central > password/shadow/group repository used for authenticating Unix users; > keeping in mind that password / shadow policies must be enforced? > > Thanks! > Eric Sammons > FRIT - Unix Systems -- Jules Agee System Administrator Pacific Coast Feather Co. julesa@pcf.com x284

Follow-Ups:
- Re: [pamldap] A way around self write shadowLastChange?
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: Re: Strange problems when trying to compile v2.2.4
Next by Date: it says that I need to copy the databes to the replica
Index(es):
- Chronological
- Thread