Environment: OpenLDAP on Linux (CentOS, Fedora, Redhat or OEL), already configured the userpassword attribute.
Objective: to let users to change their LDAP userpassword attribute themselves.
Steps:
1. configure access control part in slapd.conf
access to attr=userPassword
by self write
by anonymous auth
by dn="cn=Manager,dc=dev,dc=domain,dc=com" write
by * none
# note: above 'by self write' and 'by anonymous auth' attibutes
are very important, otherwise the users cannot change password by
themselves.
access to attr=proxyAccess
by self read
by dn="cn=Manager,dc=dev,dc=domain,dc=com" write
by * none
access to *
by dn="cn=Manager,dc=dev,dc=domain,dc=com" write
by users read
2. user ldapmodify to change it.
- Method 1: use ldapmodify with Manager DN
[root@mars openldap]# more jephe.ldapmodify
dn: uid=jephe,ou=people,dc=dev,dc=domain,dc=com
changetype:modify
replace: userpassword
userpassword: {MD5}risfylFZSeXVT7IrjtlVdQ==
You can use command 'slappasswd -h {MD5}' to generate userpassword line above
New password: testing
Re-enter new password: testing
{MD5}risfylFZSeXVT7IrjtlVdQ==
- Method 2 : use ldapmodify with user own DN
Enter LDAP Password:
modifying entry "uid=jephe,ou=people,dc=dev,dc=domain,dc=com"
3. use ldappasswd to change it
- Method 3: use ldappasswd with Manager DN
Result: Success (0)
- Method 4: use ldappasswd with user own DN
Result: Success (0)
3. ldapmodify to modify some attributes:
ldapmodify -c -x -D "cn=admin......" -w -f filename.ldif
# more filename.ldif
dn: cn=.....
changetype: modify
replace: loginShell
loginshell: /bin/bash
4. backup and restore ldap database
slapcat -b "dc=jephe,dc=com" -l ldif_file
/usr/local/openldap/sbin/slapadd -b "dc=jephe,dc=com" -l ldif_file
Posts
