Ubuntu – How to allow LDAP user to change password

ldapopenldapserver

I want to allow ldap user to change their password but how?
passwd? or ldappasswd? It won't work for me this time.
What will be the configurations for this in order the user will successfully change their passwords?

Any help will do. Thanks.

Best Answer

in the slapd.conf write access control rule

access to attrs=userPassword   
by self =xw

But you should be aware that specific rules are to be written first and general rule at the end.
for example following rule has to be written at the end.

access to * by * read

for more information visit: http://www.openldap.org/doc/admin24/access-control.html

MORE INFO
slapd.conf is generally located in

/etc/openldap or  
/etc/ldap/ or 
/usr/local/etc/openldap/ or  
/usr/local/etc/ldap/

There are some changes in newer versions of ldap where slapd.conf is supported but by default the data is stored in slapd.d directory. if you put your custom slapd.conf there, the process will read slapd.conf instead of slapd.d directory

Things to notice

sometimes slapd.conf is present in both local as well as global path try changing both
delete slapd.d direcotry as it is default to make slapd.conf work

Related Solutions

Ubuntu – How to set up Ubuntu Server 10.04 LTS to serve as a samba Primary Domain Controller uses pam modules to authenticate against an LDAP server

There are guides like this one which look at this issue thoroughly.

I find this quite difficult to answer, given all the variables. Since samba and openldap need some extra configuration, an answer here might not be complete.

Ubuntu – SSSD password change not working with LDAP backend

After much research and testing. Here is the answer to allowing users to use passwd function to change their password when they are using SSSD with ldap backend. If they can indeed authenticate with their password via ssh to the SSSD client, then the problem of changing their password which produces the following: "passwd: Authentication token manipulation error" comes from the LDAP ACL. Need self write access to userPassword Attribute

Add the following to your ldap config file when using olc. Edit olcDatabase={2}bdb.ldif olcAccess:

{0}to attrs=userPassword,shadowLastChange by self write by anonymous 
            auth by dn="cn=Manager,dc=domain.com" write by * none

Make sure you add some more to allow reads and writes for any other attributes you want.

olcAccess: {2}to * by * read by users read by anonymous auth

You just have to do it once for all users. {0}to attrs=userPassword... just as I listed above is applied as an ACL to the ldap server and applied globally. If you edit the olcDatabase={2}bdb.ldif olcAccess manually you have to change the CRC, but thats easy as there are many readmes on that.

The other user posted changing bind credentials on the clients /etc/sssd/sssd.conf like this:

ldap_default_bind_dn = cn=Manager,dc=mydomain,dc=fqdn.com ldap_default_authtok_type = password ldap_default_auttok = secret

Modifying in /etc/sssd/sssd.conf bind credentials didn't work for me, but allowing users to selfwrite their userPassword attribute did... You may not always want this, but for using the passwd function on linux clients with SSSD and LDAP backend you need it.

Best Answer

Related Solutions

Ubuntu – How to set up Ubuntu Server 10.04 LTS to serve as a samba Primary Domain Controller uses pam modules to authenticate against an LDAP server

Ubuntu – SSSD password change not working with LDAP backend

Related Question