[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How To set things up to allow users to change their passwords

To: Zdenek Styblik <stybla@turnovfree.net>
Subject: Re: How To set things up to allow users to change their passwords
From: Robert Heller <heller@deepsoft.com>
Date: Sat, 5 Dec 2009 13:23:15 -0500
Cc: Dieter Kluenter <dieter@dkluenter.de>, Robert Heller <heller@deepsoft.com>, openldap-technical@openldap.org
In-reply-to: <4B1A9893.2020309@turnovfree.net>
Organization: Deepwoods Software
References: <200912041655.nB4Gt5eD021822@sharky.deepsoft.com> <87iqcl96v5.fsf@rubin.avci.de> <200912051709.nB5H9rWJ011715@sharky.deepsoft.com> <4B1A9893.2020309@turnovfree.net>

At Sat, 05 Dec 2009 18:29:55 +0100 Zdenek Styblik <stybla@turnovfree.net> wrote:

> 
> Robert Heller wrote:
> > At Sat, 05 Dec 2009 09:12:46 +0100 "Dieter Kluenter" <dieter@dkluenter.de> wrote:
> > 
> >> Robert Heller <heller@deepsoft.com> writes:
> >>
> >>> I have Openldap set up on a CentOS 5 system (using the stock 2.3.43
> >>> RPMS) and I want to allow users to change their passwords, but I am
> >>> confused by the documentation (it has both too much and not enough
> >>> information -- there don't appear to be simple HowTos for common setups).
> >> http://www.openldap.org/doc/admin24/slapdconfig.html
> >>  see section 6.3
> > 
> > OK, I have set this up, and with some poking around I have gained a
> > better unterstanding of what is going on.  I have another question:
> > 
> > In the sample config it has an access control list that looks like:
> > 
> > access to attrs=userPassword
> > 	by self write
> > 	by anonymous auth
> > 	by dn.base="cn=Admin,dc=example,dc=com" write
> > 	by * none
> > 
> > Where does the password for "cn=Admin,dc=example,dc=com" exist?  Is this
> > something a add to slapd.config or insert into the database or ???
> > 
> 
> Evening,
> 
> -- SNIP ---
> # cat /etc/openldap/slapd.conf
> ...
> rootdn		"cn=Manager,dc=domain,dc=tld"
> rootpw		{SSHA}blahBlahHash

It already has a rootdn/rootpw, much like the sample one (in section
6.3) for 'cn=Manager,dc=example,dc=com', the sample slapd.config has this also. 
The slapd.config in section 6.3 *ALSO* refers to the DN
"cn=Admin,dc=example,dc=com", which is *PRESUMABLY* separate from
"cn=Manager,dc=example,dc=com".  How do a specify a password for this
*OTHER* DN?  Or is the slapd.conf in section 6.3 just being gratiously
confusing for no good reason?  I understand that the rootdn was write
access to everything, no matter what the ACLs say.  I presuming that the
ACL with "cn=Admin,dc=example,dc=com" is to allow someone else access to
updating accounts.  How do I set this other person's password?  Is this
in the database, slapd.conf or ldap.conf or someplace else?

> -----------
> 
> Regards,
> Zdenek
> 

-- 
Robert Heller             -- 978-544-6933
Deepwoods Software        -- Download the Model Railroad System
http://www.deepsoft.com/  -- Binaries for Linux and MS-Windows
heller@deepsoft.com       -- http://www.deepsoft.com/ModelRailroadSystem/

Follow-Ups:
- Re: How To set things up to allow users to change their passwords
  - From: Zdenek Styblik <stybla@turnovfree.net>

References:
- How To set things up to allow users to change their passwords
  - From: Robert Heller <heller@deepsoft.com>
- Re: How To set things up to allow users to change their passwords
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: How To set things up to allow users to change their passwords
  - From: Robert Heller <heller@deepsoft.com>
- Re: How To set things up to allow users to change their passwords
  - From: Zdenek Styblik <stybla@turnovfree.net>

Prev by Date: Re: How To set things up to allow users to change their passwords
Next by Date: Re: How To set things up to allow users to change their passwords
Index(es):
- Chronological
- Thread