After days of googling and reading docs, threads, and playing all sorts of games, I've *finally* solved it.

Since three-quarters of everything I found ended with "so how the hell *do* you enable users to change their own passwords", and no answer, let me give the answers.

In /usr/local/etc/openldap/slapd.conf, the ACL is
<snip>
access: to attr=userPassword
    by self =xw
    by anonymous auth

access to *
    by self write
    by * read

<snip>
NOTE THAT EACH STANZA *MUST* END WITH A BLANK LINE.

Then, the magic incantation with ldappasswd, I wrapped with a tiny shell script, since ldappasswd *first* asks for the new password, then, as an afterthough, it asks for the current, like no password program I've ever seen. The wrapper is (and this assumes that your users are in the d/b under ou=people):

#!/bin/bash

thisuser=`whoami`
echo "About to update $thisuser's password"
echo
read -p "Current password: " -s opwd
echo
read -p "New password: " -s npwd
echo
ldappasswd -x -D cn=$thisuser,ou=people,dc=att,dc=com -w $opwd -s $npwd

Feel free to pass this on. Hope it keeps some of you from denting your cube walls as you try to deal with openldap.

 mark "UMich? openldap? F, as in FLUNK"

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@(protected)
https://www.redhat.com/mailman/listinfo/redhat-list