Allowing LDAP users to change password

Question

How to allow LDAP users to change password from client machines ?

score 2 · Accepted Answer · answered Sep 16 '10 at 12:11

2

You can't. LDAP is a directory service and does not provide end-user tools. It's the responsibility of the end-user tool to provide this functionality.

e.g. it should be possible using 'passwd', assuming that you've got PAM authentication using LDAP configured correctly

answered Sep 16 '10 at 12:11

symcbean

21,009
1
31
52

any gui end user tools available ? – nitins Sep 16 '10 at 12:23
2

Yes - any pam compliant one. There are other tools which are intended for managing an LDAP system which allow users to change their own passwords (e.g. GoSA) but why go through all that pain just to provide a facility for changing passwords? Its not rocket science to write your own (e.g. http://logout.sh/computers/ldap/) – symcbean Sep 16 '10 at 12:38

score 2 · Answer 2 · answered Sep 16 '10 at 12:29

2

OpenLDAP's default configuration already has that:

# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange
        by anonymous auth
        by self write
        by * none

answered Sep 16 '10 at 12:29

al.

925
6
17

1

is this in slapd.conf ? – nitins Sep 17 '10 at 06:11
Yes. Doesn't work like this when using the cn=conf backend of course. – al. Sep 21 '10 at 11:45
Any idea how we could do this on 389 directory server? – chandank Nov 16 '12 at 19:56

score 1 · Answer 3 · answered Apr 10 '15 at 19:04

You can enable the ldap-auth-client (debian and ubuntu) to edit passwords like you would on a local machine. if you run dpkg-reconfigure ldap-auth-config and select yes for Make local root Database admin this will allow you to run passwd like you normally would.

You can also do this by editing your /etc/ldap.conf file and adding:

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn dn-for-your-admin-account-in-ldap

If you edit the file manually, you need to post the password for the root account in /etc/ldap.secret and make it 600

You may also have to edit /etc/pam.d/common-password and remove the use_authtok parameter. If you edit your pam files be sure to run pam-auth-update or reboot the system.

score 0 · Answer 4 · answered Jul 16 '14 at 02:56

0

For users of 389 using bind accounts, you can create an ACL as per the following for bind accounts:

(targetattr ="*")(version 3.0;acl "Bind Accounts";allow (all) (groupdn = "ldap:///cn=Bind Accounts, dc=ldap,dc=server");)

answered Jul 16 '14 at 02:56

user49242

11

Allowing LDAP users to change password

4 Answers4