Discussion:
Allowing users to update their passwords
(too old to reply)
Kartik Vashishta
2015-10-12 21:13:18 UTC
Permalink
Raw Message
Team,

I am not anything but new to ldap. I have however successfully installed
and configured Openldap on CentOS7. Online material was a BIG help.

I am trying to figure out how to allow users to change their own passwords.

Googling pointed me out to this:
access to attrs=userPassword
by self write
by anonymous auth
by users none

access to * by * read

But where and how does this get input into the ldap db. There is no more a
slapd.conf.

Please advise. Regards,

Kartik Vashishta
Dieter Klünter
2015-10-13 07:02:01 UTC
Permalink
Raw Message
Content preview: Am Mon, 12 Oct 2015 16:13:18 -0500 schrieb Kartik Vashishta
<***@gmail.com>: > Team, > > I am not anything but new to ldap. I
have however successfully > installed and configured Openldap on CentOS7.
Online material was a > BIG help. > > I am trying to figure out how to allow
access to attrs=userPassword > by self write > by anonymous auth > by users
none > > access to * by * read > > But where and how does this get input
into the ldap db. There is no > more a slapd.conf. [...]

Content analysis details: (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: sys4.de]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]

Am Mon, 12 Oct 2015 16:13:18 -0500
Team,
I am not anything but new to ldap. I have however successfully
installed and configured Openldap on CentOS7. Online material was a
BIG help.
I am trying to figure out how to allow users to change their own passwords.
access to attrs=userPassword
by self write
by anonymous auth
by users none
access to * by * read
But where and how does this get input into the ldap db. There is no
more a slapd.conf.
slapd-config(5)

-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
Andrew Findlay
2015-10-13 10:22:12 UTC
Permalink
Raw Message
Team, > > > > I am not anything but new to ldap. I have however successfully
installed and configured Openldap on CentOS7. Online material was a >
BIG help. > > > > I am trying to figure out how to allow users to change
their own > > passwords. > > > > Googling pointed me out to this: > > access
to attrs=userPassword > > by self write > > by anonymous auth > > by users
none > > > > access to * by * read > > > > But where and how does this get
input into the ldap db. There is no > > more a slapd.conf. > > slapd-config(5)
[...]

Content analysis details: (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: skills-1st.co.uk]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
-0.0 SPF_PASS SPF: sender matches SPF record
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
Cc: openldap-***@openldap.org
X-BeenThere: openldap-***@openldap.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OpenLDAP Technical Discussion list <openldap-technical.openldap.org>
List-Unsubscribe: <http://www.openldap.org/lists/mm/options/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=unsubscribe>
List-Archive: <http://www.openldap.org/lists/openldap-technical/>
List-Post: <mailto:openldap-***@openldap.org>
List-Help: <mailto:openldap-technical-***@openldap.org?subject=help>
List-Subscribe: <http://www.openldap.org/lists/mm/listinfo/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=subscribe>
Errors-To: openldap-technical-***@openldap.org
Sender: "openldap-technical" <openldap-technical-***@openldap.org>
X-Spam-Score: -1.9 (-)
X-Spam-Report: Spam detection software, running on the system "gauss.openldap.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
Team, > > > > I am not anything but new to ldap. I have however successfully
installed and configured Openldap on CentOS7. Online material was a >
BIG help. > > > > I am trying to figure out how to allow users to change
their own > > passwords. > > > > Googling pointed me out to this: > > access
to attrs=userPassword > > by self write > > by anonymous auth > > by users
none > > > > access to * by * read > > > > But where and how does this get
input into the ldap db. There is no > > more a slapd.conf. > > slapd-config(5)
[...]

Content analysis details: (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: openldap.org]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
-0.0 SPF_PASS SPF: sender matches SPF record
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
Am Mon, 12 Oct 2015 16:13:18 -0500
Team,
I am not anything but new to ldap. I have however successfully
installed and configured Openldap on CentOS7. Online material was a
BIG help.
I am trying to figure out how to allow users to change their own passwords.
access to attrs=userPassword
by self write
by anonymous auth
by users none
access to * by * read
But where and how does this get input into the ldap db. There is no
more a slapd.conf.
slapd-config(5)
Also
http://www.openldap.org/doc/admin24/access-control.html#Access%20Control%20via%20Dynamic%20Configuration

I would suggest changing the access list:

olcAccess: to attrs=userPassword
by self =wx
by anonymous auth
by * none
olcAccess: to * by * read

The important change is the 'self' access. If you use 'write' then you are also
granting read access, so someone who gets control of an authenticated session
would be able to read the user's password. By using =w or =wx you allow
passwords to be changed and to be used in authentication, but you prevent them
being read.

You will need to search your config to find the appropriate entry to add the
above values to. It will be something like olcDatabase=mdb,cn=config

You should also configure a strong hash function for passwords, and ideally you
should install a password policy overlay to enforce password hashing.
The choice of hash function depends on the libraries available in your
operating system. SSHA is always available but is very weak in the face of a
password cracker. The Linux/FreeBSD/OpenBSD '$1$' '$6$' and '$2a$' hashes are
very much stronger. Config looks like this:

olcPasswordHash: {CRYPT}
olcPasswordCryptSaltFormat: "$6$%.12s"

It should be added to the olcDatabase=frontend,cn=config entry.

Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
Loading...