[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Allowing users to update their passwords
On Tue, Oct 13, 2015 at 09:02:01AM +0200, Dieter Klünter wrote:
> Am Mon, 12 Oct 2015 16:13:18 -0500
> schrieb Kartik Vashishta <kartik.unix@gmail.com>:
>
> > Team,
> >
> > I am not anything but new to ldap. I have however successfully
> > installed and configured Openldap on CentOS7. Online material was a
> > BIG help.
> >
> > I am trying to figure out how to allow users to change their own
> > passwords.
> >
> > Googling pointed me out to this:
> > access to attrs=userPassword
> > by self write
> > by anonymous auth
> > by users none
> >
> > access to * by * read
> >
> > But where and how does this get input into the ldap db. There is no
> > more a slapd.conf.
>
> slapd-config(5)
Also
http://www.openldap.org/doc/admin24/access-control.html#Access%20Control%20via%20Dynamic%20Configuration
I would suggest changing the access list:
olcAccess: to attrs=userPassword
by self =wx
by anonymous auth
by * none
olcAccess: to * by * read
The important change is the 'self' access. If you use 'write' then you are also
granting read access, so someone who gets control of an authenticated session
would be able to read the user's password. By using =w or =wx you allow
passwords to be changed and to be used in authentication, but you prevent them
being read.
You will need to search your config to find the appropriate entry to add the
above values to. It will be something like olcDatabase=mdb,cn=config
You should also configure a strong hash function for passwords, and ideally you
should install a password policy overlay to enforce password hashing.
The choice of hash function depends on the libraries available in your
operating system. SSHA is always available but is very weak in the face of a
password cracker. The Linux/FreeBSD/OpenBSD '$1$' '$6$' and '$2a$' hashes are
very much stronger. Config looks like this:
olcPasswordHash: {CRYPT}
olcPasswordCryptSaltFormat: "$6$%.12s"
It should be added to the olcDatabase=frontend,cn=config entry.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------