However I'm not too familiar with db and whether it would be easy to acheive the same thing, i.e. users be able to change their own record in the dbm users file.
Any ideas?
Dustin Doris wrote:
Ldap will provide that feature for you. An openldap acl might look like this.
access to attr=userPassword by self write by anonymous auth by * none
access to dn.one="ou=useraccounts,dc=yourdomain,dc=com" by self write by dn="cn=freeradius,dc=yourdomain,dc=com" read by anonymous auth by * none
That means you can login and change your own stuff, but can't see anyone elses. Freeradius can read for authorization. This doesn't include reading passwords, which is shown as none in the prior acl.
You then build a webpage front-end, such as with php. Have the user login to the webpage and change their password. The webpage will then send the username/password of the user logged in to ldap for the password change. This means that the webpage itself won't have super user rights and can only change the username/password of the person that is logged in and if they provide the correct username/password in the first place.
Don't want apache? Then build a commandline tool users can use that does the same thing. You can write a shell wrapper over the ldapmodify client that comes with openldap. Then again if you are allowing users local access to a machine in the first place, that is less secure than building a webserver.
You want a command line tool for clients to use on their own computer? That is starting to get hard to support now. I would stay away from that.
If you're not hardcoding any superuser username/password in the webserver, then you know that users can't obtain that information and do anything to the ldap directory. Put the front-end on a different machine and have it only run apache. Put the ldap server on your private network and have the radius server and webserver with an interface on that network. That way the ldap traffic is only going through over private network.
More complex, yes, but its not too bad. Less secure? Anytime you want to add functionality, such as password changes, you will open security. But this setup should be pretty secure.
On Wed, 13 Apr 2005, Maqbool Hashim wrote:
I'm with you. Thank you kindly. Now sorry to keep going on about this but.....
Can you think of an alternative to mysql? Something like a command line password change tool which accesses the users database. I'm just trying to find a way of acheiving this without having to install apache and mysql. More features, more complexity, harder to secure.
Miles Mawyer wrote:
Right.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
