0

I'm working application that requires the use of AWS ParallelCluster assets for some high performance processing. After the initial setup, we need to be able to add/remove user accounts and I am trying to set that up according to these instructions which explain how to setup a simple openLDAP directory service on the cluster head for this purpose.

I have successfully followed those instructions and am able to make an LDAP non-admin account. When logged in as root, I can set the password of this account by following using this command:

sudo ldappasswd -H ldap://localhost:389 -x -D "cn=ldapadmin,dc=<stack_name>,dc=internal" -W -S uid=<username>,ou=Users,dc=<stack_name>,dc=internal -y <path/to/file/with/LDAP/password>

At this point, I can switch into the new LDAP non-admin account. Unfortunately, if while logged in as this user, I execute the command passwd, I get the following error:

password change failed: Insufficient access
passwd: Authentication token manipulation error

How can I configure my application of openLDAP so that non-admin users can change their own password?

ProlucidDavid
  • 43
  • 4
  • Does this answer your question? [OpenLDAP ACL to allow users to change their password](https://serverfault.com/questions/221083/openldap-acl-to-allow-users-to-change-their-password) – Nikita Kipriyanov Jan 14 '21 at 19:34

1 Answers1

0

The instructions you link to seem to have you make an OpenLDAP db with no access control, which basically means olcRootDn write and * read. (All of your OpenLDAP users can read everything in the database, and even dump it if they can figure out how to get around the default 500 read limit). You'll want to adjust that first.

Minimal viable:

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword
  by self write
  by * auth
olcAccess: {1}to *
  by * read
84104
  • 12,905
  • 6
  • 45
  • 76
  • Your ldif was successful, however I needed to remove a duplicated "to". The corrected minimal viable is copied below: dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=userPassword by self write by * auth olcAccess: {1}to * by * read – ProlucidDavid Jan 14 '21 at 15:28
  • Can you also clarify, does your minimum viable only resolve the password credential issue? Does it also address the security concern that allows all users to dump everything? – ProlucidDavid Jan 14 '21 at 15:33
  • Fixes credential issue. Stops users from being able to read other users' userPassword (password hash). (They can still read their own userPassword, which you could probably fix with the more granular ACL syntax, but that's more of an intellectual exercise.) – 84104 Jan 15 '21 at 06:50