At Sat, 05 Dec 2009 19:41:26 +0100 Zdenek Styblik stybla@turnovfree.net wrote:
Robert Heller wrote:
At Sat, 05 Dec 2009 18:29:55 +0100 Zdenek Styblik stybla@turnovfree.net wrote:
Robert Heller wrote:
At Sat, 05 Dec 2009 09:12:46 +0100 "Dieter Kluenter" dieter@dkluenter.de wrote:
Robert Heller heller@deepsoft.com writes:
I have Openldap set up on a CentOS 5 system (using the stock 2.3.43 RPMS) and I want to allow users to change their passwords, but I am confused by the documentation (it has both too much and not enough information -- there don't appear to be simple HowTos for common setups).
http://www.openldap.org/doc/admin24/slapdconfig.html see section 6.3
OK, I have set this up, and with some poking around I have gained a better unterstanding of what is going on. I have another question:
In the sample config it has an access control list that looks like:
access to attrs=userPassword by self write by anonymous auth by dn.base="cn=Admin,dc=example,dc=com" write by * none
Where does the password for "cn=Admin,dc=example,dc=com" exist? Is this something a add to slapd.config or insert into the database or ???
Evening,
-- SNIP --- # cat /etc/openldap/slapd.conf ... rootdn "cn=Manager,dc=domain,dc=tld" rootpw {SSHA}blahBlahHash
It already has a rootdn/rootpw, much like the sample one
Should we have a crystal ball? You haven't shown us a bit of your configs and expecting miracles?
Basically pretty much straight from section 6.3 of the Admin guide.
Yes, I'm being rude. Yes, I found your question as a "basic know-how" thing. Also, whole thing can be studied in many books out there. And believe it, it's not that much to read.
I've *been* reading the admin guide. It is just not clear to me.
Also, if you are looking for some very specific how-to which is going to be tailored specially for you, I somewhat resigned on such ideas. But yeah, I'm no surprised. There are also Bubuntu, Debian, etc. how-tos [oh, well - google?].
I'm using CentOS (RHEL).
If you don't want to waste time with setting up OpenLDAP, which you should if you're real about using it, then pay somebody. There are companies doing it for living.
(in section 6.3) for 'cn=Manager,dc=example,dc=com', the sample slapd.config has this also. The slapd.config in section 6.3 *ALSO* refers to the DN "cn=Admin,dc=example,dc=com", which is *PRESUMABLY* separate from "cn=Manager,dc=example,dc=com". How do a specify a password for this *OTHER* DN?
You will use % slappasswd; to generate HASH password. Then, you will use % ldapadd; or % ldapmod;, to add new user entry with DN: 'cn=Admin,dc=example,dc=com'. Please, do read manual pages for those, or some books about LDIF.
I've read the docs, they just don't seem clear.
Or is the slapd.conf in section 6.3 just being gratiously confusing for no good reason?
Well, that's possible. It's been written by people. If there are mistakes, please, point them out (ideally with appropriate fixes), so they can be fixed/clarified. Yeah, Admin's guide isn't perfect. In a fact, some sections are missing, or lack information.
I understand that the rootdn was write access to everything, no matter what the ACLs say. I presuming that the ACL with "cn=Admin,dc=example,dc=com" is to allow someone else access to updating accounts. How do I set this other person's password? Is this in the database, slapd.conf or ldap.conf or someplace else?
Use % ldapmod;.
Regards, Zdenek
Zdenek