heya, On Thu, 2005-07-21 at 19:17 -0700, Bill Johnstone wrote: > Well, LDAP-aware ones, anyway. An LDAP-aware adduser type program for > example, which would prompt for the password associated with whatever > dn the admin was trying to connect with. > However, users should be able to do things like chsh and passwd without > any knowledge of LDAP. And in fact, with pam_ldap, they can at least > change their own passwords using plain ol' "passwd" from the shadow > suite.
I was coming from a different angle. My users don't have command line access nor any unix skills whatsoever. For that scenario I use the web page which makes a call to a ldap aware pam backend so that they change their passwords that way while I am still able to enforce password policies etc via pam. > I don't see why this needs to be the case. Sure, you need a rootdn to > initially populate the directory, but after that, it's easy to use ACLs > to give each user write capability to his own user attributes, such as > "loginShell". sure but if you have a ldap setup that doesn't allow anonymous binds then you have to have an extra password input phase that seems to break many command line utils. > Moreover, it is possible to add a specific user to the > directory who has write access to the the subtree under the ou (via > ACLs again), and have that password stored within the directory db, > just like all the other users have their passwords stored. This > eliminates the need to have a "rootpw" stored within the slapd.conf , > and due to the ACLs, makes it easier to restrict the ability of the > administrative user and keep him from damaging the whole directory. not entirely following what you are wanting to do with this. adding a specific user with write access to WHAT subtree under the ou. Generally speaking I wouldn't give a user write access to anything apart from their own entry and even then in most cases only to their password field and to nothing else. The second part of this makes no sense to me at all. If you can't make the userland utils call ldap as the user (I don't believe all of them can, most want to run as root) then you have to provide the utils a way of being able to bind and make modifications to any users entry which means a psuedo root user. > They are LDAP-aware replacements for the unix commands from the shadow > suite, or can be treated as such. pwdutils is another such LDAP-aware > shadow suite replacement, which actually replaces commands such as > "passwd" and "chsh", though its documentation leaves something to be > desired. There is no ebuild at all for pwdutils, though. my bad, I was mistaking them with some gui interfaces like GQ. > Is there an individual or dev group within gentoo that I should try to > contact? robbat2 <at> gentoo . org seems to be involved with both the > openldap ebuild, as well as diradm ... file a bug on bugs.gentoo.org Benjamin Smee (strerror) -- [email protected] mailing list
