Allowing LDAP users to change password
Solution 1
You can't. LDAP is a directory service and does not provide end-user tools. It's the responsibility of the end-user tool to provide this functionality.
e.g. it should be possible using 'passwd', assuming that you've got PAM authentication using LDAP configured correctly
Solution 2
OpenLDAP's default configuration already has that:
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange
by anonymous auth
by self write
by * none
Solution 3
You can enable the ldap-auth-client (debian and ubuntu) to edit passwords like you would on a local machine. if you run
dpkg-reconfigure ldap-auth-config
and select yes for Make local root Database admin this will allow you to run passwd
like you normally would.
You can also do this by editing your /etc/ldap.conf file and adding:
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn dn-for-your-admin-account-in-ldap
If you edit the file manually, you need to post the password for the root account in /etc/ldap.secret and make it 600
You may also have to edit /etc/pam.d/common-password and remove the use_authtok
parameter. If you edit your pam files be sure to run pam-auth-update or reboot the system.
Related videos on Youtube
Comments
-
nitins over 1 year
How to allow LDAP users to change password from client machines ?
-
nitins over 13 yearsany gui end user tools available ?
-
symcbean over 13 yearsYes - any pam compliant one. There are other tools which are intended for managing an LDAP system which allow users to change their own passwords (e.g. GoSA) but why go through all that pain just to provide a facility for changing passwords? Its not rocket science to write your own (e.g. logout.sh/computers/ldap)
-
al. over 13 yearsYes. Doesn't work like this when using the cn=conf backend of course.
-
chandank over 11 yearsAny idea how we could do this on 389 directory server?