1 |
heya, |
2 |
|
3 |
On Thu, 2005-07-21 at 19:17 -0700, Bill Johnstone wrote: |
4 |
> Well, LDAP-aware ones, anyway. An LDAP-aware adduser type program for |
5 |
> example, which would prompt for the password associated with whatever |
6 |
> dn the admin was trying to connect with. |
7 |
> However, users should be able to do things like chsh and passwd without |
8 |
> any knowledge of LDAP. And in fact, with pam_ldap, they can at least |
9 |
> change their own passwords using plain ol' "passwd" from the shadow |
10 |
> suite. |
11 |
|
12 |
I was coming from a different angle. My users don't have command line |
13 |
access nor any unix skills whatsoever. For that scenario I use the web |
14 |
page which makes a call to a ldap aware pam backend so that they change |
15 |
their passwords that way while I am still able to enforce password |
16 |
policies etc via pam. |
17 |
|
18 |
> I don't see why this needs to be the case. Sure, you need a rootdn to |
19 |
> initially populate the directory, but after that, it's easy to use ACLs |
20 |
> to give each user write capability to his own user attributes, such as |
21 |
> "loginShell". |
22 |
|
23 |
sure but if you have a ldap setup that doesn't allow anonymous binds |
24 |
then you have to have an extra password input phase that seems to break |
25 |
many command line utils. |
26 |
|
27 |
> Moreover, it is possible to add a specific user to the |
28 |
> directory who has write access to the the subtree under the ou (via |
29 |
> ACLs again), and have that password stored within the directory db, |
30 |
> just like all the other users have their passwords stored. This |
31 |
> eliminates the need to have a "rootpw" stored within the slapd.conf , |
32 |
> and due to the ACLs, makes it easier to restrict the ability of the |
33 |
> administrative user and keep him from damaging the whole directory. |
34 |
|
35 |
not entirely following what you are wanting to do with this. adding a |
36 |
specific user with write access to WHAT subtree under the ou. Generally |
37 |
speaking I wouldn't give a user write access to anything apart from |
38 |
their own entry and even then in most cases only to their password field |
39 |
and to nothing else. |
40 |
|
41 |
The second part of this makes no sense to me at all. If you can't make |
42 |
the userland utils call ldap as the user (I don't believe all of them |
43 |
can, most want to run as root) then you have to provide the utils a way |
44 |
of being able to bind and make modifications to any users entry which |
45 |
means a psuedo root user. |
46 |
|
47 |
> They are LDAP-aware replacements for the unix commands from the shadow |
48 |
> suite, or can be treated as such. pwdutils is another such LDAP-aware |
49 |
> shadow suite replacement, which actually replaces commands such as |
50 |
> "passwd" and "chsh", though its documentation leaves something to be |
51 |
> desired. There is no ebuild at all for pwdutils, though. |
52 |
|
53 |
my bad, I was mistaking them with some gui interfaces like GQ. |
54 |
|
55 |
> Is there an individual or dev group within gentoo that I should try to |
56 |
> contact? robbat2 <at> gentoo . org seems to be involved with both the |
57 |
> openldap ebuild, as well as diradm ... |
58 |
|
59 |
file a bug on bugs.gentoo.org |
60 |
|
61 |
Benjamin Smee (strerror) |
62 |
|
63 |
-- |
64 |
gentoo-server@g.o mailing list |