[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: setting up openldap for day-to-day admin

To: Maxwell Bottiger <sleepylight@jive-turkey.net>, openldap-software@OpenLDAP.org
Subject: Re: setting up openldap for day-to-day admin
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Thu, 06 May 2004 19:07:00 -0700
Content-disposition: inline
In-reply-to: <1083893999.2169.1.camel@shaft>
References: <1083893999.2169.1.camel@shaft>

--On Thursday, May 06, 2004 9:39 PM -0400 Maxwell Bottiger <sleepylight@jive-turkey.net> wrote:

Hi,
        I'm having a bit of trouble wrapping my brain around the steps
needed to make a pretty simple setup of OpenLDAP work for me.  I was
able to use ldapadd to put a bunch of users into my database, then set
up nsswitch.conf to allow ldap to emulate NIS.  I can't tell you how
happy I am to be rid of NIS, OpenLDAP has been awesome to me.
        Right now though, I'm not able to change user passwords, and I
think it's because I haven't given users rights to do so, or at least
haven't given them rights to do so on the network.  I think the relevant
part of my slapd.conf file is this:

  access to dn.base="" by * read  access to dn.base="cn=Subschema" by *
read  access to *         by self write
        by users read
        by anonymous auth

 That looks good, but I find messages like:
May  6 12:32:31 summoner passwd[15665]: pam_ldap: ldap_modify_s
Insufficient access
May  6 12:33:06 summoner passwd[15668]: pam_ldap: ldap_modify_s
Insufficient access

 in /var/log/messages.  So, I think that I need to do 2 things.  First, I
need ldap to recognize users for who they are, not anonymous.  Second I'd
like to set myself up as the ldap admin, so that I can easily edit things
like users and passwords and phone numbers (instead of always having to
specify "cn=ldapadmin,dc=modsim,dc=lab")  Where do I start?
 --

This is best addressed by the PAM/NSS LDAP lists. You can find their addresses at:

Mailing Lists

PADL provide three mailing lists which users of our open source software can use to support each other. Users can subscribe to these mailing lists by sending a mail to majordomo@padl.com with "subscribe listname" in the body. The addresses below are for posting to the mailing lists; do not send subscription requests to these addresses. Posting is limited to subscribers.

ldap-nis@padl.com - general discussion about software which supports RFC 2307 nssldap@padl.com - discussion amongst users of nss_ldap. An archive is available at http://www.netsys.com/nssldap/. pamldap@padl.com - discussion amongst users of pam_ldap. An archive is available at http://www.netsys.com/pamldap/.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

References:
- setting up openldap for day-to-day admin
  - From: Maxwell Bottiger <sleepylight@jive-turkey.net>

Prev by Date: Re: setting up openldap for day-to-day admin
Next by Date: Re: Fw: ldap_add: Operations error
Index(es):
- Chronological
- Thread