To which objectclass should the entry belongs to ? What about access rules ?
Thanks
On Wed, Jun 29, 2011 at 8:14 PM, Quanah Gibson-Mount quanah@zimbra.com wrote:
--On Wednesday, June 29, 2011 8:00 PM -0300 Friedrich Locke friedrich.locke@gmail.com wrote:
Dear list users,
i would like to have an entry in my openldap server thats needs to have a password so that it would be able to permit clients to bind as it providing its password. For instance: cn=x,ou=y,dc=a,dc=b So anyone knowing "cn=x,ou=y,dc=a,dc=b" 's password could bind as it.
Add a userPassword value to that entry.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc.
Zimbra :: the leader in open source messaging and collaboration
On Wed, Jun 29, 2011 at 10:09:54PM -0300, Friedrich Locke wrote:
To which objectclass should the entry belongs to ?
Any class that permits the attribute types that you need. A common choice is inetOrgPerson, but for non-person accounts it is more appropriate to use other classes such as account or organizationalRole - often in combination with the simpleSecurityObject auxiliary class to permit the use of userPassword.
dn: uid=u1,dc=people,dc=example,dc=org objectclass: account objectclass: simpleSecurityObject description: A User uid: u1 userPassword: secret
Note that it is generally best to hash the userPassword value with SSHA.
What about access rules ?
It is normal to prevent everyone from reading passwords - including their own. You need to allow anon to have 'auth' access to the userPassword attribute.
Here is a minimal example:
################################################################ # Users may change their own passwords # Users may read everything except passwords # Anon may read everything except passwords
access to attrs="userPassword" by self =w by * auth
access to * by * read
################################################################
Andrew
openldap-technical@openldap.org
-
Andrew Findlay -
Friedrich Locke