Hi All
Does anyone know how to configure OpenLDAP to allow directory users to change their own passwords?
I've using Openldap-2.2.13-7.4E (on my RedHat server)
As it is now, I have to change everyone's directory password for them and the security department isn't liking it.
Thank you for your help.
Anne
<quote who="Anne Moore">
Hi All
Does anyone know how to configure OpenLDAP to allow directory users to change their own passwords?
You don't mention anything about the clients you are using or your ACLs
I've using Openldap-2.2.13-7.4E (on my RedHat server)
See the our recommendations of using Red Hat OpenLDAP software in the archives.
As it is now, I have to change everyone's directory password for them and the security department isn't liking it.
Thank you for your help.
Anne
Anne Moore skrev, on 13-09-2007 15:12:
Does anyone know how to configure OpenLDAP to allow directory users to change their own passwords?
The answer is "yes, I do that".
I've using Openldap-2.2.13-7.4E (on my RedHat server)
As Gavin implies, you shouldn't be using this version; it won't allow you to do what you want, it's full of bugs anyway and your security department will go on not liking it.
For where to get up to date rpms for whatever Red Hat version you're using (probably RHAS/RHEL4), go to http://staff.telkomsa.net/packages/
As it is now, I have to change everyone's directory password for them and the security department isn't liking it.
--Tonni
Hi Tony
It's not the VERSION of Openldap causing the problem, it's how it's configured. That's why I'm here asking how to configure it to do this.
You wrote, "The answer is "yes, I do that".
Except you did not write how you do that. If you share it with others, you will feel much better. ;)
Anne
-----Original Message----- From: openldap-software-bounces+diabeticithink=yahoo.com@OpenLDAP.org [mailto:openldap-software-bounces+diabeticithink=yahoo.com@OpenLDAP.org] On Behalf Of Tony Earnshaw Sent: Friday, September 14, 2007 12:55 AM Cc: openldap-software@openldap.org Subject: Re: configure OpenLDAP to allow directory users - change pass
Anne Moore skrev, on 13-09-2007 15:12:
Does anyone know how to configure OpenLDAP to allow directory users to change their own passwords?
The answer is "yes, I do that".
I've using Openldap-2.2.13-7.4E (on my RedHat server)
As Gavin implies, you shouldn't be using this version; it won't allow you to do what you want, it's full of bugs anyway and your security department will go on not liking it.
For where to get up to date rpms for whatever Red Hat version you're using (probably RHAS/RHEL4), go to http://staff.telkomsa.net/packages/
As it is now, I have to change everyone's directory password for them and the security department isn't liking it.
--Tonni
-- Tony Earnshaw Email: tonni at hetnet dot nl
Anne Moore skrev, on 14-09-2007 14:15:
It's not the VERSION of Openldap causing the problem, it's how it's configured. That's why I'm here asking how to configure it to do this.
You wrote, "The answer is "yes, I do that".
Except you did not write how you do that. If you share it with others, you will feel much better. ;)
When you upgrade your version of openldap to one that does what you want (your present version doesn't), I'm sure people will rush to help you. Before you do that, it's a waste of time even starting.
If you don't believe me, do 'man 5 slapo-ppolicy' and see what comes up ;)
Best,
--Tonni
On Sep 13, 2007, at 3:12 PM, Anne Moore wrote:
Hi All
Does anyone know how to configure OpenLDAP to allow directory users to change their own passwords?
I've using Openldap-2.2.13-7.4E (on my RedHat server)
As it is now, I have to change everyone's directory password for them and the security department isn't liking it.
What do ldappasswd(1) and/or ldapmodify(1) say when changing the directory user's password when run as the user (instead of you or the Directory Manager)?
Note: If the users are using some other software, you might have a problem with that software. But before raising an issue (on a list about the other software, not here) you should make sure things work using only OpenLDAP Software. So, even if your users aren't using these tools, you should test with them (as a user) before doing anything else.
-- Kurt
We've tried the ldappasswd on the clients and receive this error:
"ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80) additional info: SASL(-13): user not found: no secret in database"
Obviously something is not configure correctly.
Any ideas on this error?
Thank you
Anne
-----Original Message----- From: openldap-software-bounces+diabeticithink=yahoo.com@OpenLDAP.org [mailto:openldap-software-bounces+diabeticithink=yahoo.com@OpenLDAP.org] On Behalf Of Kurt Zeilenga Sent: Friday, September 14, 2007 2:20 AM To: Anne Moore Cc: openldap-software@openldap.org Subject: Re: configure OpenLDAP to allow directory users - change pass
On Sep 13, 2007, at 3:12 PM, Anne Moore wrote:
Hi All
Does anyone know how to configure OpenLDAP to allow directory users to change their own passwords?
I've using Openldap-2.2.13-7.4E (on my RedHat server)
As it is now, I have to change everyone's directory password for them and the security department isn't liking it.
What do ldappasswd(1) and/or ldapmodify(1) say when changing the directory user's password when run as the user (instead of you or the Directory Manager)?
Note: If the users are using some other software, you might have a problem with that software. But before raising an issue (on a list about the other software, not here) you should make sure things work using only OpenLDAP Software. So, even if your users aren't using these tools, you should test with them (as a user) before doing anything else.
-- Kurt
On Sep 14, 2007, at 3:17 PM, Anne Moore wrote:
We've tried the ldappasswd on the clients and receive this error:
"ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80) additional info: SASL(-13): user not found: no secret in database"
Are you intending to use SASL? If not, you simply are misusing ldappasswd(1). Read the manual page, especially the part about the - x option.
Obviously something is not configure correctly.
Any ideas on this error?
Are you intending to use SASL? Assuming not, you simply are misusing ldappasswd(1). You need to specify -x for ldappasswd(1) to perform a simple DN/password authentication. See the ldappasswd(1) for details.
-- Kurt
Tried it, like so: ldappasswd -x -D uid=testuser,ou=People,dc=mydomain,dc=com
And I tried: ldappasswd -x -D uid=testuser,ou=People,dc=mydomain,dc=com -w newpassword
And I get this error each time: "additional info: unauthenticated bind (DN with no password) disallowed"
Which means that the user can't change their own password, so I'm back to where I started.
I have this in my slapd.conf file:
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema
# Allow LDAPv2 client connections. This is NOT the default. allow bind_v2
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /var/run/slapd.pid argsfile /var/run/slapd.args
# Load dynamic backend modules: # modulepath /usr/sbin/openldap # moduleload back_bdb.la # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la
# The next three lines allow use of TLS for encrypting connections using a # dummy test certificate which you can generate by changing to # /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. Your client software # may balk at self-signed certificates, however. # TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt # TLSCertificateFile /usr/share/ssl/certs/slapd.pem # TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
# Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING!
####################################################################### # ldbm and/or bdb database definitions ####################################################################### database bdb suffix "dc=mydomain,dc=com" rootdn "cn=manager,dc=mydomain,dc=com" # rootpw secret rootpw {SSHA}4O8ghrU5sdfIz4QJ/C676eIHZE4mDCI96c3K
# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap/mydomain.com
# Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database #replogfile /var/lib/ldap/openldap-master-replog #replica host=ldap-1.example.com:389 starttls=critical # bindmethod=sasl saslmech=GSSAPI # authcId=host/ldap-master.example.com@EXAMPLE.COM
-----Original Message----- From: openldap-software-bounces+diabeticithink=yahoo.com@OpenLDAP.org [mailto:openldap-software-bounces+diabeticithink=yahoo.com@OpenLDAP.org] On Behalf Of Kurt Zeilenga Sent: Friday, September 14, 2007 10:22 AM To: Anne Moore Cc: openldap-software@openldap.org Subject: Re: configure OpenLDAP to allow directory users - change pass
On Sep 14, 2007, at 3:17 PM, Anne Moore wrote:
We've tried the ldappasswd on the clients and receive this error:
"ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80) additional info: SASL(-13): user not found: no secret in database"
Are you intending to use SASL? If not, you simply are misusing ldappasswd(1). Read the manual page, especially the part about the - x option.
Obviously something is not configure correctly.
Any ideas on this error?
Are you intending to use SASL? Assuming not, you simply are misusing ldappasswd(1). You need to specify -x for ldappasswd(1) to perform a simple DN/password authentication. See the ldappasswd(1) for details.
-- Kurt
<quote who="Anne Moore">
We've tried the ldappasswd on the clients and receive this error:
ldappasswd -x
You're going to have to try a bit harder ;-)
"ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80) additional info: SASL(-13): user not found: no secret in database"
Obviously something is not configure correctly.
Any ideas on this error?
Thank you
Anne
-----Original Message----- From: openldap-software-bounces+diabeticithink=yahoo.com@OpenLDAP.org [mailto:openldap-software-bounces+diabeticithink=yahoo.com@OpenLDAP.org] On Behalf Of Kurt Zeilenga Sent: Friday, September 14, 2007 2:20 AM To: Anne Moore Cc: openldap-software@openldap.org Subject: Re: configure OpenLDAP to allow directory users - change pass
On Sep 13, 2007, at 3:12 PM, Anne Moore wrote:
Hi All
Does anyone know how to configure OpenLDAP to allow directory users to change their own passwords?
I've using Openldap-2.2.13-7.4E (on my RedHat server)
As it is now, I have to change everyone's directory password for them and the security department isn't liking it.
What do ldappasswd(1) and/or ldapmodify(1) say when changing the directory user's password when run as the user (instead of you or the Directory Manager)?
Note: If the users are using some other software, you might have a problem with that software. But before raising an issue (on a list about the other software, not here) you should make sure things work using only OpenLDAP Software. So, even if your users aren't using these tools, you should test with them (as a user) before doing anything else.
-- Kurt
Haha, yah perhaps so! However, that didn't work either. Now I just get another set of errors:
"Result: Strong(er) authentication required (8) Additional info: only authenticated users may change passwords"
This is a major pain in the butt...
I just wish there was documentation on there on the basics of this setup, but so far, I've found nothing...
Thanks anyway
-----Original Message----- From: Gavin Henry [mailto:ghenry@suretecsystems.com] Sent: Friday, September 14, 2007 11:20 AM To: Anne Moore Cc: openldap-software@openldap.org Subject: RE: configure OpenLDAP to allow directory users - change pass
<quote who="Anne Moore">
We've tried the ldappasswd on the clients and receive this error:
ldappasswd -x
You're going to have to try a bit harder ;-)
"ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80) additional info: SASL(-13): user not found: no secret in database"
Obviously something is not configure correctly.
Any ideas on this error?
Thank you
Anne
-----Original Message----- From: openldap-software-bounces+diabeticithink=yahoo.com@OpenLDAP.org [mailto:openldap-software-bounces+diabeticithink=yahoo.com@OpenLDAP.or g] On Behalf Of Kurt Zeilenga Sent: Friday, September 14, 2007 2:20 AM To: Anne Moore Cc: openldap-software@openldap.org Subject: Re: configure OpenLDAP to allow directory users - change pass
On Sep 13, 2007, at 3:12 PM, Anne Moore wrote:
Hi All
Does anyone know how to configure OpenLDAP to allow directory users to change their own passwords?
I've using Openldap-2.2.13-7.4E (on my RedHat server)
As it is now, I have to change everyone's directory password for them and the security department isn't liking it.
What do ldappasswd(1) and/or ldapmodify(1) say when changing the directory user's password when run as the user (instead of you or the Directory Manager)?
Note: If the users are using some other software, you might have a problem with that software. But before raising an issue (on a list about the other software, not here) you should make sure things work using only OpenLDAP Software. So, even if your users aren't using these tools, you should test with them (as a user) before doing anything else.
-- Kurt
<quote who="Anne Moore">
Haha, yah perhaps so! However, that didn't work either. Now I just get another set of errors:
"Result: Strong(er) authentication required (8) Additional info: only authenticated users may change passwords"
This is a major pain in the butt...
I just wish there was documentation on there on the basics of this setup, but so far, I've found nothing...
Did you bind as the user you were changing the password for? with -x -D -W ?
Thanks anyway
-----Original Message----- From: Gavin Henry [mailto:ghenry@suretecsystems.com] Sent: Friday, September 14, 2007 11:20 AM To: Anne Moore Cc: openldap-software@openldap.org Subject: RE: configure OpenLDAP to allow directory users - change pass
<quote who="Anne Moore"> > We've tried the ldappasswd on the clients and receive this error:
ldappasswd -x
You're going to have to try a bit harder ;-)
"ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80) additional info: SASL(-13): user not found: no secret in database"
Obviously something is not configure correctly.
Any ideas on this error?
Thank you
Anne
-----Original Message----- From: openldap-software-bounces+diabeticithink=yahoo.com@OpenLDAP.org [mailto:openldap-software-bounces+diabeticithink=yahoo.com@OpenLDAP.or g] On Behalf Of Kurt Zeilenga Sent: Friday, September 14, 2007 2:20 AM To: Anne Moore Cc: openldap-software@openldap.org Subject: Re: configure OpenLDAP to allow directory users - change pass
On Sep 13, 2007, at 3:12 PM, Anne Moore wrote:
Hi All
Does anyone know how to configure OpenLDAP to allow directory users to change their own passwords?
I've using Openldap-2.2.13-7.4E (on my RedHat server)
As it is now, I have to change everyone's directory password for them and the security department isn't liking it.
What do ldappasswd(1) and/or ldapmodify(1) say when changing the directory user's password when run as the user (instead of you or the Directory Manager)?
Note: If the users are using some other software, you might have a problem with that software. But before raising an issue (on a list about the other software, not here) you should make sure things work using only OpenLDAP Software. So, even if your users aren't using these tools, you should test with them (as a user) before doing anything else.
-- Kurt
You mean like so: ldappasswd -x -D cn=annem,dc=mydomain,dc=com
I also tried: ldappasswd -x -D cn=annem,dc=mydomain,dc=com -w newpassword
Yes, I tried that. No dice. It gives me an error:
"additional info: unauthenticated bind (DN with no password) disallowed"
Which of course means the regular user isn't allowed to bind to their own account and their password. So, I'm back to the drawing board. I still can't figure out how to change slapd.conf to enable regular users to change their own passwords...
Bugger...
-----Original Message----- From: Gavin Henry [mailto:ghenry@suretecsystems.com] Sent: Friday, September 14, 2007 11:52 AM To: Anne Moore Cc: openldap-software@openldap.org Subject: RE: configure OpenLDAP to allow directory users - change pass
<quote who="Anne Moore">
Haha, yah perhaps so! However, that didn't work either. Now I just get another set of errors:
"Result: Strong(er) authentication required (8) Additional info: only authenticated users may change passwords"
This is a major pain in the butt...
I just wish there was documentation on there on the basics of this setup, but so far, I've found nothing...
Did you bind as the user you were changing the password for? with -x -D -W ?
Thanks anyway
-----Original Message----- From: Gavin Henry [mailto:ghenry@suretecsystems.com] Sent: Friday, September 14, 2007 11:20 AM To: Anne Moore Cc: openldap-software@openldap.org Subject: RE: configure OpenLDAP to allow directory users - change pass
<quote who="Anne Moore"> > We've tried the ldappasswd on the clients and receive this error:
ldappasswd -x
You're going to have to try a bit harder ;-)
"ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80) additional info: SASL(-13): user not found: no secret in database"
Obviously something is not configure correctly.
Any ideas on this error?
Thank you
Anne
-----Original Message----- From: openldap-software-bounces+diabeticithink=yahoo.com@OpenLDAP.org [mailto:openldap-software-bounces+diabeticithink=yahoo.com@OpenLDAP.o r g] On Behalf Of Kurt Zeilenga Sent: Friday, September 14, 2007 2:20 AM To: Anne Moore Cc: openldap-software@openldap.org Subject: Re: configure OpenLDAP to allow directory users - change pass
On Sep 13, 2007, at 3:12 PM, Anne Moore wrote:
Hi All
Does anyone know how to configure OpenLDAP to allow directory users to change their own passwords?
I've using Openldap-2.2.13-7.4E (on my RedHat server)
As it is now, I have to change everyone's directory password for them and the security department isn't liking it.
What do ldappasswd(1) and/or ldapmodify(1) say when changing the directory user's password when run as the user (instead of you or the Directory Manager)?
Note: If the users are using some other software, you might have a problem with that software. But before raising an issue (on a list about the other software, not here) you should make sure things work using only OpenLDAP Software. So, even if your users aren't using these tools, you should test with them (as a user) before doing anything else.
-- Kurt
Anne Moore wrote:
You mean like so: ldappasswd -x -D cn=annem,dc=mydomain,dc=com
I also tried: ldappasswd -x -D cn=annem,dc=mydomain,dc=com -w newpassword
Yes, I tried that. No dice. It gives me an error:
"additional info: unauthenticated bind (DN with no password) disallowed"
Which of course means the regular user isn't allowed to bind to their own account and their password. So, I'm back to the drawing board. I still can't figure out how to change slapd.conf to enable regular users to change their own passwords...
Bugger...
It would help if you paid attention and reported *exactly* what you typed and *exactly* what output you got from each command. For example, it is *impossible* for this command: ldappasswd -x -D cn=annem,dc=mydomain,dc=com -w newpassword to return this result: "additional info: unauthenticated bind (DN with no password) disallowed"
Nobody can possibly help you when you supply incorrect information about what you're doing.
Anne Moore wrote:
Haha, yah perhaps so! However, that didn't work either. Now I just get another set of errors:
"Result: Strong(er) authentication required (8) Additional info: only authenticated users may change passwords"
This is a major pain in the butt...
I just wish there was documentation on there on the basics of this setup, but so far, I've found nothing...
The documentation on the basics of this setup has to be there, since thousands of users and administrators are happily using it, and I see very few >20 message long threads on the subject.
Since you seem to be unable to get those basics, you probably need to hire some expert consultant to do it for you. Please browse the (non exaustive) list of consultants at http://www.openldap.org/support/ and pick one.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
--On September 14, 2007 11:38:54 AM -0400 Anne Moore diabeticithink@yahoo.com wrote:
Haha, yah perhaps so! However, that didn't work either. Now I just get another set of errors:
"Result: Strong(er) authentication required (8) Additional info: only authenticated users may change passwords"
This is a major pain in the butt...
I just wish there was documentation on there on the basics of this setup, but so far, I've found nothing...
So you have to authenticate as a user. Do you have any idea at all how to use the ldap tools? Have you bothered to take the time to read the man pages?
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
On Sep 13, 2007, at 3:12 PM, Anne Moore wrote:
Does anyone know how to configure OpenLDAP to allow directory users to change their own passwords?
Another note: if you are looking for examples of how to configure slapd(8) to allow directory users to change their own passwords, you needn't look any further than the OpenLDAP test suite. In particular, test010-passwd builds a server for the expressed purpose of testing password updates. If you were building from source, you could just run this particular test (./run test010) and then go explore the configure files it leaves behind.
As someone already pointed out (with example), the only configure slapd(8) really needs to allow a directory user to change their password is write permission to the userPassword attribute.
-- Kurt
openldap-software@openldap.org