Ldap will provide that feature for you. An openldap acl might look like
this.
access to attr=userPassword
by self write
by anonymous auth
by * none
access to dn.one="ou=useraccounts,dc=yourdomain,dc=com"
by self write
by dn="cn=freeradius,dc=yourdomain,dc=com" read
by anonymous auth
by * none
That means you can login and change your own stuff, but can't see anyone
elses. Freeradius can read for authorization. This doesn't include
reading passwords, which is shown as none in the prior acl.
You then build a webpage front-end, such as with php. Have the user login
to the webpage and change their password. The webpage will then send the
username/password of the user logged in to ldap for the password change.
This means that the webpage itself won't have super user rights and can
only change the username/password of the person that is logged in and if
they provide the correct username/password in the first place.
Don't want apache? Then build a commandline tool users can use that does
the same thing. You can write a shell wrapper over the ldapmodify client
that comes with openldap. Then again if you are allowing users local
access to a machine in the first place, that is less secure than building
a webserver.
You want a command line tool for clients to use on their own computer?
That is starting to get hard to support now. I would stay away from that.
If you're not hardcoding any superuser username/password in the webserver,
then you know that users can't obtain that information and do anything to
the ldap directory. Put the front-end on a different machine and have it
only run apache. Put the ldap server on your private network and have the
radius server and webserver with an interface on that network. That way
the ldap traffic is only going through over private network.
More complex, yes, but its not too bad. Less secure? Anytime you want to
add functionality, such as password changes, you will open security. But
this setup should be pretty secure.
On Wed, 13 Apr 2005, Maqbool Hashim wrote:
> I'm with you. Thank you kindly. Now sorry to keep going on about this
> but.....
>
> Can you think of an alternative to mysql? Something like a command line
> password change tool which accesses the users database. I'm just trying
> to find a way of acheiving this without having to install apache and
> mysql. More features, more complexity, harder to secure.
>
> Miles Mawyer wrote:
>
> >Right.
> >
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
