I have Openldap set up on a CentOS 5 system (using the stock 2.3.43 RPMS) and I want to allow users to change their passwords, but I am confused by the documentation (it has both too much and not enough information -- there don't appear to be simple HowTos for common setups).
I am not sure what to put in /etc/openldap/slapd.conf (I think I need an ACL). I expect I need something in /etc/openldap/ldap.conf (or prossibly /etc/ldap.conf) to allow the authorization. This is on a LAN with diskless clients, behind a firewall, so I *probably* don't need to set up SSL and certs (but I am unsure of this as well).
On Fri, 2009-12-04 at 11:55 -0500, Robert Heller wrote:
I have Openldap set up on a CentOS 5 system (using the stock 2.3.43 RPMS) and I want to allow users to change their passwords, but I am confused by the documentation (it has both too much and not enough information -- there don't appear to be simple HowTos for common setups).
I am not sure what to put in /etc/openldap/slapd.conf (I think I need an ACL). I expect I need something in /etc/openldap/ldap.conf (or prossibly /etc/ldap.conf) to allow the authorization. This is on a LAN with diskless clients, behind a firewall, so I *probably* don't need to set up SSL and certs (but I am unsure of this as well).
Hi Robert,
I think the most secure (since you are not using SSL) and preferred way is to use a small application for this. You can easily give the users a web interface (written using php-ldap) to change their passwords or whatever stuff.
phpldapadamin would do as well. But it's nicer to have your own something :)
Thanks, ~Chamith
At Sat, 05 Dec 2009 09:23:16 +0530 Chamith Kumarage gnu.chami@gmx.net wrote:
On Fri, 2009-12-04 at 11:55 -0500, Robert Heller wrote:
I have Openldap set up on a CentOS 5 system (using the stock 2.3.43 RPMS) and I want to allow users to change their passwords, but I am confused by the documentation (it has both too much and not enough information -- there don't appear to be simple HowTos for common setups).
I am not sure what to put in /etc/openldap/slapd.conf (I think I need an ACL). I expect I need something in /etc/openldap/ldap.conf (or prossibly /etc/ldap.conf) to allow the authorization. This is on a LAN with diskless clients, behind a firewall, so I *probably* don't need to set up SSL and certs (but I am unsure of this as well).
Hi Robert,
I think the most secure (since you are not using SSL) and preferred way is to use a small application for this. You can easily give the users a web interface (written using php-ldap) to change their passwords or whatever stuff.
This does not really help me much. Having some random application (web based or not) is not the issue, I need to know how to *configure* slapd and ldap in general to allow the proper access levels. Oh I have no problem with using SSL and if that is the way to I go that way. I also don't want to run a web server just for one *small* web application. I am also not really much of a php programer either.
The admin documentation both has too much information and too little :-(. What I am looking for is a specialized how-to for this specific sort of situation. I understand that LDAP can do a lot of things, everything from being a company-with phone book to handling DNS to handling user authorization, so it makes sense for the admin manual to cover a broad application range. I'm just getting lost in it.
phpldapadamin would do as well. But it's nicer to have your own something :)
Thanks, ~Chamith
Robert Heller heller@deepsoft.com writes:
I have Openldap set up on a CentOS 5 system (using the stock 2.3.43 RPMS) and I want to allow users to change their passwords, but I am confused by the documentation (it has both too much and not enough information -- there don't appear to be simple HowTos for common setups).
http://www.openldap.org/doc/admin24/slapdconfig.html see section 6.3
I am not sure what to put in /etc/openldap/slapd.conf (I think I need an ACL). I expect I need something in /etc/openldap/ldap.conf (or prossibly /etc/ldap.conf) to allow the authorization. This is on a LAN with diskless clients, behind a firewall, so I *probably* don't need to set up SSL and certs (but I am unsure of this as well).
Get your system running first, than you may decide to install transport layer security.
-Dieter
At Sat, 05 Dec 2009 09:12:46 +0100 "Dieter Kluenter" dieter@dkluenter.de wrote:
Robert Heller heller@deepsoft.com writes:
I have Openldap set up on a CentOS 5 system (using the stock 2.3.43 RPMS) and I want to allow users to change their passwords, but I am confused by the documentation (it has both too much and not enough information -- there don't appear to be simple HowTos for common setups).
http://www.openldap.org/doc/admin24/slapdconfig.html see section 6.3
OK, I have set this up, and with some poking around I have gained a better unterstanding of what is going on. I have another question:
In the sample config it has an access control list that looks like:
access to attrs=userPassword by self write by anonymous auth by dn.base="cn=Admin,dc=example,dc=com" write by * none
Where does the password for "cn=Admin,dc=example,dc=com" exist? Is this something a add to slapd.config or insert into the database or ???
I am not sure what to put in /etc/openldap/slapd.conf (I think I need an ACL). I expect I need something in /etc/openldap/ldap.conf (or prossibly /etc/ldap.conf) to allow the authorization. This is on a LAN with diskless clients, behind a firewall, so I *probably* don't need to set up SSL and certs (but I am unsure of this as well).
Get your system running first, than you may decide to install transport layer security.
-Dieter
Robert Heller wrote:
At Sat, 05 Dec 2009 09:12:46 +0100 "Dieter Kluenter" dieter@dkluenter.de wrote:
Robert Heller heller@deepsoft.com writes:
I have Openldap set up on a CentOS 5 system (using the stock 2.3.43 RPMS) and I want to allow users to change their passwords, but I am confused by the documentation (it has both too much and not enough information -- there don't appear to be simple HowTos for common setups).
http://www.openldap.org/doc/admin24/slapdconfig.html see section 6.3
OK, I have set this up, and with some poking around I have gained a better unterstanding of what is going on. I have another question:
In the sample config it has an access control list that looks like:
access to attrs=userPassword by self write by anonymous auth by dn.base="cn=Admin,dc=example,dc=com" write by * none
Where does the password for "cn=Admin,dc=example,dc=com" exist? Is this something a add to slapd.config or insert into the database or ???
Evening,
-- SNIP --- # cat /etc/openldap/slapd.conf ... rootdn "cn=Manager,dc=domain,dc=tld" rootpw {SSHA}blahBlahHash -----------
Regards, Zdenek
At Sat, 05 Dec 2009 18:29:55 +0100 Zdenek Styblik stybla@turnovfree.net wrote:
Robert Heller wrote:
At Sat, 05 Dec 2009 09:12:46 +0100 "Dieter Kluenter" dieter@dkluenter.de wrote:
Robert Heller heller@deepsoft.com writes:
I have Openldap set up on a CentOS 5 system (using the stock 2.3.43 RPMS) and I want to allow users to change their passwords, but I am confused by the documentation (it has both too much and not enough information -- there don't appear to be simple HowTos for common setups).
http://www.openldap.org/doc/admin24/slapdconfig.html see section 6.3
OK, I have set this up, and with some poking around I have gained a better unterstanding of what is going on. I have another question:
In the sample config it has an access control list that looks like:
access to attrs=userPassword by self write by anonymous auth by dn.base="cn=Admin,dc=example,dc=com" write by * none
Where does the password for "cn=Admin,dc=example,dc=com" exist? Is this something a add to slapd.config or insert into the database or ???
Evening,
-- SNIP --- # cat /etc/openldap/slapd.conf ... rootdn "cn=Manager,dc=domain,dc=tld" rootpw {SSHA}blahBlahHash
It already has a rootdn/rootpw, much like the sample one (in section 6.3) for 'cn=Manager,dc=example,dc=com', the sample slapd.config has this also. The slapd.config in section 6.3 *ALSO* refers to the DN "cn=Admin,dc=example,dc=com", which is *PRESUMABLY* separate from "cn=Manager,dc=example,dc=com". How do a specify a password for this *OTHER* DN? Or is the slapd.conf in section 6.3 just being gratiously confusing for no good reason? I understand that the rootdn was write access to everything, no matter what the ACLs say. I presuming that the ACL with "cn=Admin,dc=example,dc=com" is to allow someone else access to updating accounts. How do I set this other person's password? Is this in the database, slapd.conf or ldap.conf or someplace else?
Regards, Zdenek
Robert Heller wrote:
At Sat, 05 Dec 2009 18:29:55 +0100 Zdenek Styblik stybla@turnovfree.net wrote:
Robert Heller wrote:
At Sat, 05 Dec 2009 09:12:46 +0100 "Dieter Kluenter" dieter@dkluenter.de wrote:
Robert Heller heller@deepsoft.com writes:
I have Openldap set up on a CentOS 5 system (using the stock 2.3.43 RPMS) and I want to allow users to change their passwords, but I am confused by the documentation (it has both too much and not enough information -- there don't appear to be simple HowTos for common setups).
http://www.openldap.org/doc/admin24/slapdconfig.html see section 6.3
OK, I have set this up, and with some poking around I have gained a better unterstanding of what is going on. I have another question:
In the sample config it has an access control list that looks like:
access to attrs=userPassword by self write by anonymous auth by dn.base="cn=Admin,dc=example,dc=com" write by * none
Where does the password for "cn=Admin,dc=example,dc=com" exist? Is this something a add to slapd.config or insert into the database or ???
Evening,
-- SNIP --- # cat /etc/openldap/slapd.conf ... rootdn "cn=Manager,dc=domain,dc=tld" rootpw {SSHA}blahBlahHash
It already has a rootdn/rootpw, much like the sample one
Should we have a crystal ball? You haven't shown us a bit of your configs and expecting miracles? Yes, I'm being rude. Yes, I found your question as a "basic know-how" thing. Also, whole thing can be studied in many books out there. And believe it, it's not that much to read. Also, if you are looking for some very specific how-to which is going to be tailored specially for you, I somewhat resigned on such ideas. But yeah, I'm no surprised. There are also Bubuntu, Debian, etc. how-tos [oh, well - google?]. If you don't want to waste time with setting up OpenLDAP, which you should if you're real about using it, then pay somebody. There are companies doing it for living.
(in section 6.3) for 'cn=Manager,dc=example,dc=com', the sample slapd.config has this also. The slapd.config in section 6.3 *ALSO* refers to the DN "cn=Admin,dc=example,dc=com", which is *PRESUMABLY* separate from "cn=Manager,dc=example,dc=com". How do a specify a password for this *OTHER* DN?
You will use % slappasswd; to generate HASH password. Then, you will use % ldapadd; or % ldapmod;, to add new user entry with DN: 'cn=Admin,dc=example,dc=com'. Please, do read manual pages for those, or some books about LDIF.
Or is the slapd.conf in section 6.3 just being gratiously confusing for no good reason?
Well, that's possible. It's been written by people. If there are mistakes, please, point them out (ideally with appropriate fixes), so they can be fixed/clarified. Yeah, Admin's guide isn't perfect. In a fact, some sections are missing, or lack information.
I understand that the rootdn was write access to everything, no matter what the ACLs say. I presuming that the ACL with "cn=Admin,dc=example,dc=com" is to allow someone else access to updating accounts. How do I set this other person's password? Is this in the database, slapd.conf or ldap.conf or someplace else?
Use % ldapmod;.
Regards, Zdenek
Zdenek
At Sat, 05 Dec 2009 19:41:26 +0100 Zdenek Styblik stybla@turnovfree.net wrote:
Robert Heller wrote:
At Sat, 05 Dec 2009 18:29:55 +0100 Zdenek Styblik stybla@turnovfree.net wrote:
Robert Heller wrote:
At Sat, 05 Dec 2009 09:12:46 +0100 "Dieter Kluenter" dieter@dkluenter.de wrote:
Robert Heller heller@deepsoft.com writes:
I have Openldap set up on a CentOS 5 system (using the stock 2.3.43 RPMS) and I want to allow users to change their passwords, but I am confused by the documentation (it has both too much and not enough information -- there don't appear to be simple HowTos for common setups).
http://www.openldap.org/doc/admin24/slapdconfig.html see section 6.3
OK, I have set this up, and with some poking around I have gained a better unterstanding of what is going on. I have another question:
In the sample config it has an access control list that looks like:
access to attrs=userPassword by self write by anonymous auth by dn.base="cn=Admin,dc=example,dc=com" write by * none
Where does the password for "cn=Admin,dc=example,dc=com" exist? Is this something a add to slapd.config or insert into the database or ???
Evening,
-- SNIP --- # cat /etc/openldap/slapd.conf ... rootdn "cn=Manager,dc=domain,dc=tld" rootpw {SSHA}blahBlahHash
It already has a rootdn/rootpw, much like the sample one
Should we have a crystal ball? You haven't shown us a bit of your configs and expecting miracles?
Basically pretty much straight from section 6.3 of the Admin guide.
Yes, I'm being rude. Yes, I found your question as a "basic know-how" thing. Also, whole thing can be studied in many books out there. And believe it, it's not that much to read.
I've *been* reading the admin guide. It is just not clear to me.
Also, if you are looking for some very specific how-to which is going to be tailored specially for you, I somewhat resigned on such ideas. But yeah, I'm no surprised. There are also Bubuntu, Debian, etc. how-tos [oh, well - google?].
I'm using CentOS (RHEL).
If you don't want to waste time with setting up OpenLDAP, which you should if you're real about using it, then pay somebody. There are companies doing it for living.
(in section 6.3) for 'cn=Manager,dc=example,dc=com', the sample slapd.config has this also. The slapd.config in section 6.3 *ALSO* refers to the DN "cn=Admin,dc=example,dc=com", which is *PRESUMABLY* separate from "cn=Manager,dc=example,dc=com". How do a specify a password for this *OTHER* DN?
You will use % slappasswd; to generate HASH password. Then, you will use % ldapadd; or % ldapmod;, to add new user entry with DN: 'cn=Admin,dc=example,dc=com'. Please, do read manual pages for those, or some books about LDIF.
I've read the docs, they just don't seem clear.
Or is the slapd.conf in section 6.3 just being gratiously confusing for no good reason?
Well, that's possible. It's been written by people. If there are mistakes, please, point them out (ideally with appropriate fixes), so they can be fixed/clarified. Yeah, Admin's guide isn't perfect. In a fact, some sections are missing, or lack information.
I understand that the rootdn was write access to everything, no matter what the ACLs say. I presuming that the ACL with "cn=Admin,dc=example,dc=com" is to allow someone else access to updating accounts. How do I set this other person's password? Is this in the database, slapd.conf or ldap.conf or someplace else?
Use % ldapmod;.
Regards, Zdenek
Zdenek
Robert Heller wrote:
At Sat, 05 Dec 2009 19:41:26 +0100 Zdenek Styblik stybla@turnovfree.net wrote:
Robert Heller wrote:
At Sat, 05 Dec 2009 18:29:55 +0100 Zdenek Styblik stybla@turnovfree.net wrote:
Robert Heller wrote:
At Sat, 05 Dec 2009 09:12:46 +0100 "Dieter Kluenter" dieter@dkluenter.de wrote:
Robert Heller heller@deepsoft.com writes:
> I have Openldap set up on a CentOS 5 system (using the stock 2.3.43 > RPMS) and I want to allow users to change their passwords, but I am > confused by the documentation (it has both too much and not enough > information -- there don't appear to be simple HowTos for common setups). http://www.openldap.org/doc/admin24/slapdconfig.html see section 6.3
OK, I have set this up, and with some poking around I have gained a better unterstanding of what is going on. I have another question:
In the sample config it has an access control list that looks like:
access to attrs=userPassword by self write by anonymous auth by dn.base="cn=Admin,dc=example,dc=com" write by * none
Where does the password for "cn=Admin,dc=example,dc=com" exist? Is this something a add to slapd.config or insert into the database or ???
Evening,
-- SNIP --- # cat /etc/openldap/slapd.conf ... rootdn "cn=Manager,dc=domain,dc=tld" rootpw {SSHA}blahBlahHash
It already has a rootdn/rootpw, much like the sample one
Should we have a crystal ball? You haven't shown us a bit of your configs and expecting miracles?
Basically pretty much straight from section 6.3 of the Admin guide.
Well, ok then. Btw you're reading guide for 2.4.x (and you have 2.3.x). Anyway. Yes, 'Admin' entry != Manager entry. It's probably been added later by 3rd application, or using % slapadd; or % slapmod; It's example how to grant permissions to attributes.
Yes, I'm being rude. Yes, I found your question as a "basic know-how" thing. Also, whole thing can be studied in many books out there. And believe it, it's not that much to read.
I've *been* reading the admin guide. It is just not clear to me.
Also, if you are looking for some very specific how-to which is going to be tailored specially for you, I somewhat resigned on such ideas. But yeah, I'm no surprised. There are also Bubuntu, Debian, etc. how-tos [oh, well - google?].
I'm using CentOS (RHEL).
This is not Windows. This is world of GNU/Linux. I'm just surprised by assumption (usually employer's vision) you have to know some distribution inside and out to be able to administer it. It's GNU/Linux and it doesn't matter if it's called CentOS, Fedora, Bubuntu, Gentoo or what not. I'm not going to google for you, sorry. If there is no specific how-to for CentOS, which I almost fail to believe, then improvise. Read how-to for other distro and put pieces together. I presume you know how to install packages in CentOS, don't you? You should be able to handle the rest. I can imagine only location of files and text editor used will differ.
If you don't want to waste time with setting up OpenLDAP, which you should if you're real about using it, then pay somebody. There are companies doing it for living.
(in section 6.3) for 'cn=Manager,dc=example,dc=com', the sample slapd.config has this also. The slapd.config in section 6.3 *ALSO* refers to the DN "cn=Admin,dc=example,dc=com", which is *PRESUMABLY* separate from "cn=Manager,dc=example,dc=com". How do a specify a password for this *OTHER* DN?
You will use % slappasswd; to generate HASH password. Then, you will use % ldapadd; or % ldapmod;, to add new user entry with DN: 'cn=Admin,dc=example,dc=com'. Please, do read manual pages for those, or some books about LDIF.
I've read the docs, they just don't seem clear.
I've just described you whole process. What exactly isn't clear? btw Why don't you use some 3rd application like eg. Apache's Directory studio? I'm pretty sure I'd make things easier (and faster) for you.
Or is the slapd.conf in section 6.3 just being gratiously confusing for no good reason?
Well, that's possible. It's been written by people. If there are mistakes, please, point them out (ideally with appropriate fixes), so they can be fixed/clarified. Yeah, Admin's guide isn't perfect. In a fact, some sections are missing, or lack information.
I understand that the rootdn was write access to everything, no matter what the ACLs say. I presuming that the ACL with "cn=Admin,dc=example,dc=com" is to allow someone else access to updating accounts. How do I set this other person's password? Is this in the database, slapd.conf or ldap.conf or someplace else?
Use % ldapmod;.
Regards, Zdenek
Zdenek
Zdenek
At Sat, 05 Dec 2009 21:12:14 +0100 Zdenek Styblik stybla@turnovfree.net wrote:
Robert Heller wrote:
At Sat, 05 Dec 2009 19:41:26 +0100 Zdenek Styblik stybla@turnovfree.net wrote:
Robert Heller wrote:
At Sat, 05 Dec 2009 18:29:55 +0100 Zdenek Styblik stybla@turnovfree.net wrote:
Robert Heller wrote:
At Sat, 05 Dec 2009 09:12:46 +0100 "Dieter Kluenter" dieter@dkluenter.de wrote:
> Robert Heller heller@deepsoft.com writes: > >> I have Openldap set up on a CentOS 5 system (using the stock 2.3.43 >> RPMS) and I want to allow users to change their passwords, but I am >> confused by the documentation (it has both too much and not enough >> information -- there don't appear to be simple HowTos for common setups). > http://www.openldap.org/doc/admin24/slapdconfig.html > see section 6.3 OK, I have set this up, and with some poking around I have gained a better unterstanding of what is going on. I have another question:
In the sample config it has an access control list that looks like:
access to attrs=userPassword by self write by anonymous auth by dn.base="cn=Admin,dc=example,dc=com" write by * none
Where does the password for "cn=Admin,dc=example,dc=com" exist? Is this something a add to slapd.config or insert into the database or ???
Evening,
-- SNIP --- # cat /etc/openldap/slapd.conf ... rootdn "cn=Manager,dc=domain,dc=tld" rootpw {SSHA}blahBlahHash
It already has a rootdn/rootpw, much like the sample one
Should we have a crystal ball? You haven't shown us a bit of your configs and expecting miracles?
Basically pretty much straight from section 6.3 of the Admin guide.
Well, ok then. Btw you're reading guide for 2.4.x (and you have 2.3.x).
Yes, I know.
Anyway. Yes, 'Admin' entry != Manager entry. It's probably been added later by 3rd application, or using % slapadd; or % slapmod; It's example how to grant permissions to attributes.
This was just not stated in the admin documentation.
Yes, I'm being rude. Yes, I found your question as a "basic know-how" thing. Also, whole thing can be studied in many books out there. And believe it, it's not that much to read.
I've *been* reading the admin guide. It is just not clear to me.
Also, if you are looking for some very specific how-to which is going to be tailored specially for you, I somewhat resigned on such ideas. But yeah, I'm no surprised. There are also Bubuntu, Debian, etc. how-tos [oh, well - google?].
I'm using CentOS (RHEL).
This is not Windows. This is world of GNU/Linux. I'm just surprised by assumption (usually employer's vision) you have to know some distribution inside and out to be able to administer it. It's GNU/Linux and it doesn't matter if it's called CentOS, Fedora, Bubuntu, Gentoo or what not.
I've been using and admining Linux since kernel version 0.99 (an early Slackware release, installed from a shoebox full of floppies). I've been using RedHat from RH 4.2 (not RHEL4!) through RH 9 (skipping RH 8), WBL 3.0, and CentOS 4.x and CentOS 5.x. *I've* *never* used MS-Windows.
The thing is, I in fact have OpenLDAP up and running just fine and everything works, except there is just the lack of something to allow users to change their passwords. That is the only thing I am having trouble with. And the only thing that does not seem to be well covered in the admin guide.
I'm not going to google for you, sorry. If there is no specific how-to for CentOS, which I almost fail to believe, then improvise. Read how-to
There is a set of docs for RHEL (same thing as CentOS). They just lack explaining how to set things up to allow users to change their own passwords. I followed this doc to get OpenLDAP up and running.
for other distro and put pieces together. I presume you know how to install packages in CentOS, don't you? You should be able to handle the rest. I can imagine only location of files and text editor used will differ.
I have been googling, but not getting all that useful results. The latest is a reference to a book 'OpenLDAP by Example', which the ACM claims exists, but Amazon does not carry (not even listed as out-of-print).
If you don't want to waste time with setting up OpenLDAP, which you should if you're real about using it, then pay somebody. There are companies doing it for living.
(in section 6.3) for 'cn=Manager,dc=example,dc=com', the sample slapd.config has this also. The slapd.config in section 6.3 *ALSO* refers to the DN "cn=Admin,dc=example,dc=com", which is *PRESUMABLY* separate from "cn=Manager,dc=example,dc=com". How do a specify a password for this *OTHER* DN?
You will use % slappasswd; to generate HASH password. Then, you will use % ldapadd; or % ldapmod;, to add new user entry with DN: 'cn=Admin,dc=example,dc=com'. Please, do read manual pages for those, or some books about LDIF.
I've read the docs, they just don't seem clear.
I've just described you whole process. What exactly isn't clear?
Oh, I understand your explation above, but your explaination is not in the admin guide -- in its example slapd.config section it makes no reference to where things are coming from. This seems like a problem with the manual on some level.
btw Why don't you use some 3rd application like eg. Apache's Directory studio? I'm pretty sure I'd make things easier (and faster) for you.
I don't need a heavyweight application and I would prefer something that is installed from a CentOS/RHEL repository, rather than installed from source -- that is something under the O/S's package management system.
Or is the slapd.conf in section 6.3 just being gratiously confusing for no good reason?
Well, that's possible. It's been written by people. If there are mistakes, please, point them out (ideally with appropriate fixes), so they can be fixed/clarified. Yeah, Admin's guide isn't perfect. In a fact, some sections are missing, or lack information.
I understand that the rootdn was write access to everything, no matter what the ACLs say. I presuming that the ACL with "cn=Admin,dc=example,dc=com" is to allow someone else access to updating accounts. How do I set this other person's password? Is this in the database, slapd.conf or ldap.conf or someplace else?
Use % ldapmod;.
Regards, Zdenek
Zdenek
Zdenek
Robert Heller wrote:
At Sat, 05 Dec 2009 21:12:14 +0100 Zdenek Styblikstybla@turnovfree.net wrote:
Robert Heller wrote:
At Sat, 05 Dec 2009 19:41:26 +0100 Zdenek Styblikstybla@turnovfree.net wrote:
Robert Heller wrote:
At Sat, 05 Dec 2009 18:29:55 +0100 Zdenek Styblikstybla@turnovfree.net wrote:
Robert Heller wrote: > At Sat, 05 Dec 2009 09:12:46 +0100 "Dieter Kluenter"dieter@dkluenter.de wrote: > >> Robert Hellerheller@deepsoft.com writes: >> >>> I have Openldap set up on a CentOS 5 system (using the stock 2.3.43 >>> RPMS) and I want to allow users to change their passwords, but I am >>> confused by the documentation (it has both too much and not enough >>> information -- there don't appear to be simple HowTos for common setups). >> http://www.openldap.org/doc/admin24/slapdconfig.html >> see section 6.3 > OK, I have set this up, and with some poking around I have gained a > better unterstanding of what is going on. I have another question: > > In the sample config it has an access control list that looks like: > > access to attrs=userPassword > by self write > by anonymous auth > by dn.base="cn=Admin,dc=example,dc=com" write > by * none > > Where does the password for "cn=Admin,dc=example,dc=com" exist? Is this > something a add to slapd.config or insert into the database or ???
The text of the example refers to the "admin" entry. Obviously an "entry" refers to an entry in the database.
Well, ok then. Btw you're reading guide for 2.4.x (and you have 2.3.x).
Yes, I know.
We've stated time and time again, use the docs that came with the version of the software you're running. You're being deliberately obtuse here.
I'm using CentOS (RHEL).
I don't need a heavyweight application and I would prefer something that is installed from a CentOS/RHEL repository, rather than installed from source -- that is something under the O/S's package management system.
Then go waste RedHat's time, not ours. 2.3 has been phased out. 2.4 has been available since 2007. If you want to use the outdated stuff your vendor provides, then you should be getting support from your vendor as well.
On Sat, 2009-12-05 at 12:09 -0500, Robert Heller wrote:
At Sat, 05 Dec 2009 09:12:46 +0100 "Dieter Kluenter" dieter@dkluenter.de wrote:
Robert Heller heller@deepsoft.com writes:
I have Openldap set up on a CentOS 5 system (using the stock 2.3.43 RPMS) and I want to allow users to change their passwords, but I am confused by the documentation (it has both too much and not enough information -- there don't appear to be simple HowTos for common setups).
http://www.openldap.org/doc/admin24/slapdconfig.html see section 6.3
OK, I have set this up, and with some poking around I have gained a better unterstanding of what is going on. I have another question:
In the sample config it has an access control list that looks like:
access to attrs=userPassword by self write by anonymous auth by dn.base="cn=Admin,dc=example,dc=com" write by * none
Where does the password for "cn=Admin,dc=example,dc=com" exist? Is this something a add to slapd.config or insert into the database or ???
Admin password can be mentioned at rootpw in slapd.conf.
~Chamith
I am not sure what to put in /etc/openldap/slapd.conf (I think I need an ACL). I expect I need something in /etc/openldap/ldap.conf (or prossibly /etc/ldap.conf) to allow the authorization. This is on a LAN with diskless clients, behind a firewall, so I *probably* don't need to set up SSL and certs (but I am unsure of this as well).
Get your system running first, than you may decide to install transport layer security.
-Dieter
On Fri, Dec 4, 2009 at 5:55 PM, Robert Heller heller@deepsoft.com wrote:
I have Openldap set up on a CentOS 5 system (using the stock 2.3.43 RPMS) and I want to allow users to change their passwords, but I am confused by the documentation (it has both too much and not enough information -- there don't appear to be simple HowTos for common setups).
Have you tried ldappasswd? Or alternatively passwd -r ldap?
HTH
Regards,
Serge Fonville
At Sun, 6 Dec 2009 02:13:28 +0100 Serge Fonville serge.fonville@gmail.com wrote:
On Fri, Dec 4, 2009 at 5:55 PM, Robert Heller heller@deepsoft.com wrote:
I have Openldap set up on a CentOS 5 system (using the stock 2.3.43 RPMS) and I want to allow users to change their passwords, but I am confused by the documentation (it has both too much and not enough information -- there don't appear to be simple HowTos for common setups).
Have you tried ldappasswd?
ldappasswd's man pages say:
ldappasswd is neither designed nor intended to be a replacement for passwd(1) and should not be installed as such.
Are the man pages wrong?
Or alternatively passwd -r ldap?
The version of passwd available under CentOS 5 (0.73) does not have a -r option.
HTH
Regards,
Serge Fonville
On Sunday, 6 December 2009 15:49:58 Robert Heller wrote:
At Sun, 6 Dec 2009 02:13:28 +0100 Serge Fonville serge.fonville@gmail.com
wrote:
On Fri, Dec 4, 2009 at 5:55 PM, Robert Heller heller@deepsoft.com wrote:
I have Openldap set up on a CentOS 5 system (using the stock 2.3.43 RPMS) and I want to allow users to change their passwords, but I am confused by the documentation (it has both too much and not enough information -- there don't appear to be simple HowTos for common setups).
Have you tried ldappasswd?
ldappasswd's man pages say:
ldappasswd is neither designed nor intended to be a replacementfor passwd(1) and should not be installed as such.
I am not sure what this is implying. It may be that it is implying it should not be installed in place of a typical passwd program (e.g. over /bin/passwd). However, ldappasswd can be used by users to change their own passwords, and is definitely useful for testing whether password changing works (to rule out application configuration issues).
Are the man pages wrong?
Regarding what?
Or alternatively passwd -r ldap?
I think this is Solaris-specific.
The version of passwd available under CentOS 5 (0.73) does not have a -r option.
Your PAM configuration should have been updated (if you used authconfig or similar) to change passwords via LDAP, so 'passwd' as an LDAP user should work.
Regards, Buchan
Sent: Monday, December 07, 2009 3:53 AM To: openldap-technical@openldap.org Cc: Serge Fonville; Robert Heller Subject: Re: How To set things up to allow users to change their passwords
On Sunday, 6 December 2009 15:49:58 Robert Heller wrote:
At Sun, 6 Dec 2009 02:13:28 +0100 Serge Fonville serge.fonville@gmail.com wrote:
On Fri, Dec 4, 2009 at 5:55 PM, Robert Heller heller@deepsoft.com wrote:
I have Openldap set up on a CentOS 5 system (using the stock 2.3.43 RPMS) and I want to allow users to change their passwords, but I am confused by the documentation (it has both too much and not enough information -- there don't appear to be simple HowTos for common setups).
Your PAM configuration should have been updated (if you used authconfig or similar) to change passwords via LDAP, so 'passwd' as an LDAP user should work.
More specifically, and to hopefully end this thread, look in libnss-ldap.conf and/or pam_ldap.conf at the pam_password attribute (and setup pam for ldap, plenty of well written docs on that online). Set it to exop for slapd to take the plaintext from the passwd command and encrypt with whatever your slapd.conf says to use for userpassword (default ssha, set via password-hash) and update the ldap tree (and follow any policy guidelines if you use ppolicy overlay). If you instead did go the route of a cgi/php page, you can comment out pam-passwd and set pam_password_prohibit_message to its url to send users there.
the Admin entry is probably just an example for some "admin" user created for an app/other user to change passwords for users. slapd doesn’t auto create entries unless an overlay or config item tells it to, even the cn=manager,<BASE-DN> entry is "created" from your slapd.conf file (rootdn/rootpw)
-T
openldap-technical@openldap.org
-
Buchan Milne -
Chamith Kumarage -
Dieter Kluenter -
Howard Chu -
Mackey, Theral -
Robert Heller -
Serge Fonville -
Zdenek Styblik