Ldap – How to disable password change for openldap user

ldapopenldap

Considering possible solutions for some improvements I run into this theoretical question and I couldn't find a satisfying answer. Some of you may have first-hand experience with this in practice, so here the question goes:

How can I disable password changing for an OpenLDAP user?

The account must stay enabled, allowed to log on to workstations and work as usual, but should not be able to change its own password.
Can this be done?
If so, how difficult is it to implement it?

All suggestions are appreciated!

For reference: Servers and workstations are to run a mixture of FreeBSD and OpenBSD. Accounts to get password disabled are student or generic workstation accounts. Environment is a school.

Best Answer

It's not very clear what you want to do, but you can try to use OpenLDAP ACLs to create the restrictions you need.

Usually, the ability to modify a password is restricted to self and administrators, but you can limit this further for certain OUs.

Related Solutions

OpenLDAP – ACL to Allow Users to Change Their Password

Try something along the lines of:

access to attrs=userPassword
        by self write
        by anonymous auth
        by users none

access to * by * read

(Note that for security reasons you DON'T want everyone able to read the UserPassword attribute -- that would allow people to skim your shadow/encrypted passwords & run a crack program against them easily.)

Edit to add requested explanation of the access to attrs=userPassword ACL above

by self write
The logged in user can write (change) their own userPassword attribute -- this is what lets you change your password.

by anonymous auth
Anonymous users (ones who bound to the directory anonymously - that is, without specifying a DN & password) may access userPassword for the sole purpose of authentication (they don't have access to it for any other purposes, like searching or browsing).

by users none
This denies logged in users access to anyone else's userPassword attribute. Theoretically this could be auth as well, but normally (At least in my environment) a logged-in user shouldn't need to authenticate/bind as another user.

Ldap – OpenLDAP Change core schema

Do not change the core schema. As the name implies, it's the core of the LDAP implementation. If you need more or changed attributes, create a local schema instead.

Best Answer

Related Solutions

OpenLDAP – ACL to Allow Users to Change Their Password

Ldap – OpenLDAP Change core schema

Related Topic