The openldap group actually points this
type of question to the padl or pam type groups because it is specific
to authentication using pam.
In looking at this solution I notice
that it contradicts one thing I had been told. I believe I was told
that a user or self must have write access to the password attribute and
to the shadowLastChange attribute. Thus I have configured the following:
access to dn=".*,MyDomain"
attr=shadowLastChange
by dn="cn=Manager,MyDomain"
write
by self
write
by * read
access to dn=".*,MyDomain"
attr=userPassword
by dn="cn=Manager,MyDomain"
write
by self
write
by * read
access to dn=".*,MyDomain"
by self
write
by users
auth
by * read
Are you saying that perhaps I can replace
the first stanza with the stanza you provided below?
Thanks!
Eric Sammons
(804)697-3925
FRIT - Unix Systems
Jules Agee <julesa@pcf.com>
01/14/2004 04:03 PM
To:
Eric.Sammons@frit.frb.org
cc:
Subject:
Re: [pamldap] A way around self write
shadowLastChange?
This is more of a subject for the OpenLDAP lists.
That being said, you can set these parameters with an entry in your
OpenLDAP server's slapd.conf, something like this:
access to attr=uidnumber,gidnumber,homeDirectory,shadowLastChange
by * read
by * compare
by dn="LDAPManagerDN" write
by dn="LDAPManagerDN" read
See the LDAP admin guide at openldap.org for more details.
-Jules
Eric.Sammons@frit.frb.org wrote:
>
> In implementing OpenLdap in my Linux environment and making use of
the
> shadow attributes to enforce password expiration and force password
> change I have found concerns with the fact that self appears to have
to
> have write access to the shadowLastChange attribute. Several
of my
> users are at least somewhat ldap savvy so they in fact could make
so
> that they never have to change their password.
>
> Is there a way around giving self write access to this attribute?
Is
> there a better implementation of LDAP and PAM as a central
> password/shadow/group repository used for authenticating Unix users;
> keeping in mind that password / shadow policies must be enforced?
>
> Thanks!
> Eric Sammons
> FRIT - Unix Systems