openLDAP and user passwords

[Harry Hoffman]

Hi,

I don't think you quite want that...

I think you want:
access: to attr=userPassword
	by self write
	by anonymous auth
	by * none

access to *
	by * read

You don't really want users to be able to change any attribute about 
themselves...

Cheers,
Harry


m.roth2006 at rcn.com wrote:
> After days of googling and reading docs, threads, and playing all sorts of games, I've *finally* solved it.
> 
> Since three-quarters of everything I found ended with "so how the hell *do* you enable users to change their own passwords", and no answer, let me give the answers.
> 
> In /usr/local/etc/openldap/slapd.conf, the ACL is
> <snip>
>  access: to attr=userPassword
>         by self =xw
>         by anonymous auth
> 
>  access to *
>         by self write
>         by * read
> 
> <snip>
> NOTE THAT EACH STANZA *MUST* END WITH A BLANK LINE.
> 
> Then, the magic incantation with ldappasswd, I wrapped with a tiny shell script, since ldappasswd *first* asks for the new password, then, as an afterthough, it asks for the current, like no password program I've ever seen. The wrapper is (and this assumes that your users are in the d/b under ou=people):
> 
> #!/bin/bash
> 
> thisuser=`whoami`
> echo "About to update $thisuser's password"
> echo
> read -p "Current password: " -s opwd
> echo
> read -p "New password: " -s npwd
> echo
> ldappasswd -x -D cn=$thisuser,ou=people,dc=att,dc=com -w $opwd -s $npwd
> 
> Feel free to pass this on. Hope it keeps some of you from denting your cube walls as you try to deal with openldap.
> 
>    mark "UMich? openldap? F, as in FLUNK"
>