| 1 |
heya, |
| 2 |
|
| 3 |
On Thu, 2005-07-21 at 19:17 -0700, Bill Johnstone wrote: |
| 4 |
> Well, LDAP-aware ones, anyway. An LDAP-aware adduser type program for |
| 5 |
> example, which would prompt for the password associated with whatever |
| 6 |
> dn the admin was trying to connect with. |
| 7 |
> However, users should be able to do things like chsh and passwd without |
| 8 |
> any knowledge of LDAP. And in fact, with pam_ldap, they can at least |
| 9 |
> change their own passwords using plain ol' "passwd" from the shadow |
| 10 |
> suite. |
| 11 |
|
| 12 |
I was coming from a different angle. My users don't have command line |
| 13 |
access nor any unix skills whatsoever. For that scenario I use the web |
| 14 |
page which makes a call to a ldap aware pam backend so that they change |
| 15 |
their passwords that way while I am still able to enforce password |
| 16 |
policies etc via pam. |
| 17 |
|
| 18 |
> I don't see why this needs to be the case. Sure, you need a rootdn to |
| 19 |
> initially populate the directory, but after that, it's easy to use ACLs |
| 20 |
> to give each user write capability to his own user attributes, such as |
| 21 |
> "loginShell". |
| 22 |
|
| 23 |
sure but if you have a ldap setup that doesn't allow anonymous binds |
| 24 |
then you have to have an extra password input phase that seems to break |
| 25 |
many command line utils. |
| 26 |
|
| 27 |
> Moreover, it is possible to add a specific user to the |
| 28 |
> directory who has write access to the the subtree under the ou (via |
| 29 |
> ACLs again), and have that password stored within the directory db, |
| 30 |
> just like all the other users have their passwords stored. This |
| 31 |
> eliminates the need to have a "rootpw" stored within the slapd.conf , |
| 32 |
> and due to the ACLs, makes it easier to restrict the ability of the |
| 33 |
> administrative user and keep him from damaging the whole directory. |
| 34 |
|
| 35 |
not entirely following what you are wanting to do with this. adding a |
| 36 |
specific user with write access to WHAT subtree under the ou. Generally |
| 37 |
speaking I wouldn't give a user write access to anything apart from |
| 38 |
their own entry and even then in most cases only to their password field |
| 39 |
and to nothing else. |
| 40 |
|
| 41 |
The second part of this makes no sense to me at all. If you can't make |
| 42 |
the userland utils call ldap as the user (I don't believe all of them |
| 43 |
can, most want to run as root) then you have to provide the utils a way |
| 44 |
of being able to bind and make modifications to any users entry which |
| 45 |
means a psuedo root user. |
| 46 |
|
| 47 |
> They are LDAP-aware replacements for the unix commands from the shadow |
| 48 |
> suite, or can be treated as such. pwdutils is another such LDAP-aware |
| 49 |
> shadow suite replacement, which actually replaces commands such as |
| 50 |
> "passwd" and "chsh", though its documentation leaves something to be |
| 51 |
> desired. There is no ebuild at all for pwdutils, though. |
| 52 |
|
| 53 |
my bad, I was mistaking them with some gui interfaces like GQ. |
| 54 |
|
| 55 |
> Is there an individual or dev group within gentoo that I should try to |
| 56 |
> contact? robbat2 <at> gentoo . org seems to be involved with both the |
| 57 |
> openldap ebuild, as well as diradm ... |
| 58 |
|
| 59 |
file a bug on bugs.gentoo.org |
| 60 |
|
| 61 |
Benjamin Smee (strerror) |
| 62 |
|
| 63 |
-- |
| 64 |
gentoo-server@g.o mailing list |
Archives