Robert Heller wrote: > At Sat, 05 Dec 2009 18:29:55 +0100 Zdenek Styblik <[email protected]> > wrote: > >> Robert Heller wrote: >>> At Sat, 05 Dec 2009 09:12:46 +0100 "Dieter Kluenter" <[email protected]> >>> wrote: >>> >>>> Robert Heller <[email protected]> writes: >>>> >>>>> I have Openldap set up on a CentOS 5 system (using the stock 2.3.43 >>>>> RPMS) and I want to allow users to change their passwords, but I am >>>>> confused by the documentation (it has both too much and not enough >>>>> information -- there don't appear to be simple HowTos for common setups). >>>> http://www.openldap.org/doc/admin24/slapdconfig.html >>>> see section 6.3 >>> OK, I have set this up, and with some poking around I have gained a >>> better unterstanding of what is going on. I have another question: >>> >>> In the sample config it has an access control list that looks like: >>> >>> access to attrs=userPassword >>> by self write >>> by anonymous auth >>> by dn.base="cn=Admin,dc=example,dc=com" write >>> by * none >>> >>> Where does the password for "cn=Admin,dc=example,dc=com" exist? Is this >>> something a add to slapd.config or insert into the database or ??? >>> >> Evening, >> >> -- SNIP --- >> # cat /etc/openldap/slapd.conf >> ... >> rootdn "cn=Manager,dc=domain,dc=tld" >> rootpw {SSHA}blahBlahHash > > It already has a rootdn/rootpw, much like the sample one
Should we have a crystal ball? You haven't shown us a bit of your configs and expecting miracles? Yes, I'm being rude. Yes, I found your question as a "basic know-how" thing. Also, whole thing can be studied in many books out there. And believe it, it's not that much to read. Also, if you are looking for some very specific how-to which is going to be tailored specially for you, I somewhat resigned on such ideas. But yeah, I'm no surprised. There are also Bubuntu, Debian, etc. how-tos [oh, well - google?]. If you don't want to waste time with setting up OpenLDAP, which you should if you're real about using it, then pay somebody. There are companies doing it for living. >(in section > 6.3) for 'cn=Manager,dc=example,dc=com', the sample slapd.config has this > also. > The slapd.config in section 6.3 *ALSO* refers to the DN > "cn=Admin,dc=example,dc=com", which is *PRESUMABLY* separate from > "cn=Manager,dc=example,dc=com". How do a specify a password for this > *OTHER* DN? You will use % slappasswd; to generate HASH password. Then, you will use % ldapadd; or % ldapmod;, to add new user entry with DN: 'cn=Admin,dc=example,dc=com'. Please, do read manual pages for those, or some books about LDIF. > Or is the slapd.conf in section 6.3 just being gratiously > confusing for no good reason? Well, that's possible. It's been written by people. If there are mistakes, please, point them out (ideally with appropriate fixes), so they can be fixed/clarified. Yeah, Admin's guide isn't perfect. In a fact, some sections are missing, or lack information. > I understand that the rootdn was write > access to everything, no matter what the ACLs say. I presuming that the > ACL with "cn=Admin,dc=example,dc=com" is to allow someone else access to > updating accounts. How do I set this other person's password? Is this > in the database, slapd.conf or ldap.conf or someplace else? > Use % ldapmod;. >> ----------- >> >> Regards, >> Zdenek >> > Zdenek -- Zdenek Styblik Net/Linux admin OS TurnovFree.net email: [email protected] jabber: [email protected]
