Hi!
I have a question: A user can change its password using the standard SSH Login.
However one user with an expired password has a special shell that does not
allow login (the user is logged out immediately).
So I tried to use ldappasswd to change the password using this helper script:
#!/bin/sh
SERVER='ldap://...'
CONTEXT='dc=...'
if [ -n "$1" ]; then
DN="uid=${1},ou=people,$CONTEXT"
MANAGER="$DN"
echo "$MANAGER changing password for $DN"
ldappasswd -H "$SERVER" -x -ZZ -D "$MANAGER","$CONTEXT" -W ${2:+-S }"$DN"
else
echo "$0: missing or empty username" >&2
exit 1
fi
So here the one to change the password is the user itself.
When I use the script with just the username (set random password), I see:
Enter LDAP Password:
ldap_bind: Server is unwilling to perform (53)
additional info: unauthenticated bind (DN with no password) disallowed
And when I call it with a second parameter (ask for password), I see:
New password:
Re-enter new password:
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
I'm trying to understand: Does the user need special ACLs, or to I need
additional parameters?
The essential ACLs for userPassword are:
...
olcAccess: {4}to attrs=shadowLastChange,userPassword,userPKCS12 by
dn.exact="uid=PW-Admin,ou=system,dc=..." write by * break
...
olcAccess: {6}to attrs=userPassword,userPKCS12 by self write by * auth
...
olcAccess: {8}to * by * read
If I use the PW-Admin account, I can change the password, however.
Kind regards,
Ulrich Windl
