Sent: Monday, December 07, 2009 3:53 AM To: openldap-technical@openldap.org Cc: Serge Fonville; Robert Heller Subject: Re: How To set things up to allow users to change their passwords
On Sunday, 6 December 2009 15:49:58 Robert Heller wrote:
At Sun, 6 Dec 2009 02:13:28 +0100 Serge Fonville serge.fonville@gmail.com wrote:
On Fri, Dec 4, 2009 at 5:55 PM, Robert Heller heller@deepsoft.com wrote:
I have Openldap set up on a CentOS 5 system (using the stock 2.3.43 RPMS) and I want to allow users to change their passwords, but I am confused by the documentation (it has both too much and not enough information -- there don't appear to be simple HowTos for common setups).
Your PAM configuration should have been updated (if you used authconfig or similar) to change passwords via LDAP, so 'passwd' as an LDAP user should work.
More specifically, and to hopefully end this thread, look in libnss-ldap.conf and/or pam_ldap.conf at the pam_password attribute (and setup pam for ldap, plenty of well written docs on that online). Set it to exop for slapd to take the plaintext from the passwd command and encrypt with whatever your slapd.conf says to use for userpassword (default ssha, set via password-hash) and update the ldap tree (and follow any policy guidelines if you use ppolicy overlay). If you instead did go the route of a cgi/php page, you can comment out pam-passwd and set pam_password_prohibit_message to its url to send users there.
the Admin entry is probably just an example for some "admin" user created for an app/other user to change passwords for users. slapd doesn’t auto create entries unless an overlay or config item tells it to, even the cn=manager,<BASE-DN> entry is "created" from your slapd.conf file (rootdn/rootpw)
-T