At Sat, 05 Dec 2009 19:41:26 +0100 Zdenek Styblik <[email protected]> wrote:
> > Robert Heller wrote: > > At Sat, 05 Dec 2009 18:29:55 +0100 Zdenek Styblik <[email protected]> > > wrote: > > > >> Robert Heller wrote: > >>> At Sat, 05 Dec 2009 09:12:46 +0100 "Dieter Kluenter" > >>> <[email protected]> wrote: > >>> > >>>> Robert Heller <[email protected]> writes: > >>>> > >>>>> I have Openldap set up on a CentOS 5 system (using the stock 2.3.43 > >>>>> RPMS) and I want to allow users to change their passwords, but I am > >>>>> confused by the documentation (it has both too much and not enough > >>>>> information -- there don't appear to be simple HowTos for common > >>>>> setups). > >>>> http://www.openldap.org/doc/admin24/slapdconfig.html > >>>> see section 6.3 > >>> OK, I have set this up, and with some poking around I have gained a > >>> better unterstanding of what is going on. I have another question: > >>> > >>> In the sample config it has an access control list that looks like: > >>> > >>> access to attrs=userPassword > >>> by self write > >>> by anonymous auth > >>> by dn.base="cn=Admin,dc=example,dc=com" write > >>> by * none > >>> > >>> Where does the password for "cn=Admin,dc=example,dc=com" exist? Is this > >>> something a add to slapd.config or insert into the database or ??? > >>> > >> Evening, > >> > >> -- SNIP --- > >> # cat /etc/openldap/slapd.conf > >> ... > >> rootdn "cn=Manager,dc=domain,dc=tld" > >> rootpw {SSHA}blahBlahHash > > > > It already has a rootdn/rootpw, much like the sample one > > Should we have a crystal ball? You haven't shown us a bit of your > configs and expecting miracles? Basically pretty much straight from section 6.3 of the Admin guide. > Yes, I'm being rude. Yes, I found your question as a "basic know-how" > thing. Also, whole thing can be studied in many books out there. And > believe it, it's not that much to read. I've *been* reading the admin guide. It is just not clear to me. > Also, if you are looking for some very specific how-to which is going to > be tailored specially for you, I somewhat resigned on such ideas. But > yeah, I'm no surprised. There are also Bubuntu, Debian, etc. how-tos > [oh, well - google?]. I'm using CentOS (RHEL). > If you don't want to waste time with setting up OpenLDAP, which you > should if you're real about using it, then pay somebody. There are > companies doing it for living. > > >(in section > > 6.3) for 'cn=Manager,dc=example,dc=com', the sample slapd.config has this > > also. > > The slapd.config in section 6.3 *ALSO* refers to the DN > > "cn=Admin,dc=example,dc=com", which is *PRESUMABLY* separate from > > "cn=Manager,dc=example,dc=com". How do a specify a password for this > > *OTHER* DN? > > You will use % slappasswd; to generate HASH password. Then, you will use > % ldapadd; or % ldapmod;, to add new user entry with DN: > 'cn=Admin,dc=example,dc=com'. Please, do read manual pages for those, or > some books about LDIF. I've read the docs, they just don't seem clear. > > > Or is the slapd.conf in section 6.3 just being gratiously > > confusing for no good reason? > > Well, that's possible. It's been written by people. If there are > mistakes, please, point them out (ideally with appropriate fixes), so > they can be fixed/clarified. Yeah, Admin's guide isn't perfect. In a > fact, some sections are missing, or lack information. > > > I understand that the rootdn was write > > access to everything, no matter what the ACLs say. I presuming that the > > ACL with "cn=Admin,dc=example,dc=com" is to allow someone else access to > > updating accounts. How do I set this other person's password? Is this > > in the database, slapd.conf or ldap.conf or someplace else? > > > > Use % ldapmod;. > > >> ----------- > >> > >> Regards, > >> Zdenek > >> > > > > Zdenek > -- Robert Heller -- 978-544-6933 Deepwoods Software -- Download the Model Railroad System http://www.deepsoft.com/ -- Binaries for Linux and MS-Windows [email protected] -- http://www.deepsoft.com/ModelRailroadSystem/
