Hello list and Happy Friday.
First and foremost I am not an OpenLDAP admin, well I guess that I am now for the purposes of this email.
I’ve been thrust into an environment running an older version of openldap on CentoOS 5 and have been tasked to simply allow users in changing their passwords via passwd.
Once a user has logged in on their respective workstation and types passwd we get this; Changing password for user johndoe. Current Password: New password: Retype new password: passwd: Authentication token manipulation error
This tells me that I need to allow them self write access to userPassword Attribute of the LDAP database?
However after reading a decent amount of literature, it's suggesting to use olcAccess but as far as I can tell this does not apply to my specific environment. All of the openldap data looks to be in /var/lib/ldap versus what I’ve been reading of /etc/openldap/slapd.d.
The /etc/openldap/slapd.conf has this section which looks like what I should focus on; # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING!
It sounds like I should start here and see if this solves the issue.
However where and how do I modify the default access control policy for this environment in allowing users to modify there userPassword attribute?
Like I had mentioned, all of the reading thus far suggests olcAccess however my database is not in that format?
Again very very new here and am forced to work with openldap 2.3 on a Centos 5 server for now. This is not to say that I would fair any better in a newer environment due to my lack of any real knowledge in this subject matter.
At any rate thank you in advance.
Humbly yours,
- aurf
openldap-technical@openldap.org