Allowing LDAP users to change password

linux authentication ldap openldap
6,081

Solution 1

You can't. LDAP is a directory service and does not provide end-user tools. It's the responsibility of the end-user tool to provide this functionality.

e.g. it should be possible using 'passwd', assuming that you've got PAM authentication using LDAP configured correctly

Solution 2

OpenLDAP's default configuration already has that:

# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange
        by anonymous auth
        by self write
        by * none

Solution 3

You can enable the ldap-auth-client (debian and ubuntu) to edit passwords like you would on a local machine. if you run dpkg-reconfigure ldap-auth-config and select yes for Make local root Database admin this will allow you to run passwd like you normally would.

You can also do this by editing your /etc/ldap.conf file and adding:

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn dn-for-your-admin-account-in-ldap

If you edit the file manually, you need to post the password for the root account in /etc/ldap.secret and make it 600

You may also have to edit /etc/pam.d/common-password and remove the use_authtok parameter. If you edit your pam files be sure to run pam-auth-update or reboot the system.

Share:
6,081

Related videos on Youtube

nitins
Author by

nitins

I am Nitin :)

Updated on September 17, 2022

Comments

  • nitins
    nitins over 1 year

    How to allow LDAP users to change password from client machines ?

  • nitins
    nitins over 13 years
    any gui end user tools available ?
  • symcbean
    symcbean over 13 years
    Yes - any pam compliant one. There are other tools which are intended for managing an LDAP system which allow users to change their own passwords (e.g. GoSA) but why go through all that pain just to provide a facility for changing passwords? Its not rocket science to write your own (e.g. logout.sh/computers/ldap)
  • al.
    al. over 13 years
    Yes. Doesn't work like this when using the cn=conf backend of course.
  • chandank
    chandank over 11 years
    Any idea how we could do this on 389 directory server?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Find users currently logged in using ldap?
How to change expired LDAP user password under linux?
What are the other alternative to test a LDAP connection on linux machine
Using LDAPSEARCH to return all Groups and OU's in an Active Directory domain
ldap_modify: No such object (32)
LDAP+SAMBA login issues
Difference between openldap 2.3 and 2.4
How to copy a LDAP entry and all the subtree on a Linux/openldap server?
How does LDAP handle supplementary/secondary user groups?
How do I modify the value of an attribute with OpenLDAP?