[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: How To set things up to allow users to change their passwords
Robert Heller wrote:
> At Sat, 05 Dec 2009 18:29:55 +0100 Zdenek Styblik <stybla@turnovfree.net> wrote:
>
>> Robert Heller wrote:
>>> At Sat, 05 Dec 2009 09:12:46 +0100 "Dieter Kluenter" <dieter@dkluenter.de> wrote:
>>>
>>>> Robert Heller <heller@deepsoft.com> writes:
>>>>
>>>>> I have Openldap set up on a CentOS 5 system (using the stock 2.3.43
>>>>> RPMS) and I want to allow users to change their passwords, but I am
>>>>> confused by the documentation (it has both too much and not enough
>>>>> information -- there don't appear to be simple HowTos for common setups).
>>>> http://www.openldap.org/doc/admin24/slapdconfig.html
>>>> see section 6.3
>>> OK, I have set this up, and with some poking around I have gained a
>>> better unterstanding of what is going on. I have another question:
>>>
>>> In the sample config it has an access control list that looks like:
>>>
>>> access to attrs=userPassword
>>> by self write
>>> by anonymous auth
>>> by dn.base="cn=Admin,dc=example,dc=com" write
>>> by * none
>>>
>>> Where does the password for "cn=Admin,dc=example,dc=com" exist? Is this
>>> something a add to slapd.config or insert into the database or ???
>>>
>> Evening,
>>
>> -- SNIP ---
>> # cat /etc/openldap/slapd.conf
>> ...
>> rootdn "cn=Manager,dc=domain,dc=tld"
>> rootpw {SSHA}blahBlahHash
>
> It already has a rootdn/rootpw, much like the sample one
Should we have a crystal ball? You haven't shown us a bit of your
configs and expecting miracles?
Yes, I'm being rude. Yes, I found your question as a "basic know-how"
thing. Also, whole thing can be studied in many books out there. And
believe it, it's not that much to read.
Also, if you are looking for some very specific how-to which is going to
be tailored specially for you, I somewhat resigned on such ideas. But
yeah, I'm no surprised. There are also Bubuntu, Debian, etc. how-tos
[oh, well - google?].
If you don't want to waste time with setting up OpenLDAP, which you
should if you're real about using it, then pay somebody. There are
companies doing it for living.
>(in section
> 6.3) for 'cn=Manager,dc=example,dc=com', the sample slapd.config has this also.
> The slapd.config in section 6.3 *ALSO* refers to the DN
> "cn=Admin,dc=example,dc=com", which is *PRESUMABLY* separate from
> "cn=Manager,dc=example,dc=com". How do a specify a password for this
> *OTHER* DN?
You will use % slappasswd; to generate HASH password. Then, you will use
% ldapadd; or % ldapmod;, to add new user entry with DN:
'cn=Admin,dc=example,dc=com'. Please, do read manual pages for those, or
some books about LDIF.
> Or is the slapd.conf in section 6.3 just being gratiously
> confusing for no good reason?
Well, that's possible. It's been written by people. If there are
mistakes, please, point them out (ideally with appropriate fixes), so
they can be fixed/clarified. Yeah, Admin's guide isn't perfect. In a
fact, some sections are missing, or lack information.
> I understand that the rootdn was write
> access to everything, no matter what the ACLs say. I presuming that the
> ACL with "cn=Admin,dc=example,dc=com" is to allow someone else access to
> updating accounts. How do I set this other person's password? Is this
> in the database, slapd.conf or ldap.conf or someplace else?
>
Use % ldapmod;.
>> -----------
>>
>> Regards,
>> Zdenek
>>
>
Zdenek
--
Zdenek Styblik
Net/Linux admin
OS TurnovFree.net
email: stybla@turnovfree.net
jabber: stybla@jabber.turnovfree.net