在LDAP中,默认情况下用户无权修改自己的密码,如果用户自行修改密码,会遇到Result: Insufficient access (50)的错误,因此我们需要打开用户修改自己密码的权限。本文基于CentOS 6。
vim /etc/openldap/slapd.conf
修改配置文件,在database config前添加如下内容(注意格式!)
access to attrs=userPassword
by self write
by anonymous auth
by * none
access to * by * read
解释:
by self write表示允许登陆用户修改自己的userPassword属性;
by anonymous auth允许匿名用户(即non-authenticated用户)基于验证目的访问userPassword,而不是其它目的(例如搜索和读取等)
by * none是阻止所有用户访问该用户的userPassword属性
LDAP的访问实体说明:
| Specifier | Entities |
| * | All, including anonymous and authenticated users |
| anonymous | Anonymous (non-authenticated) users |
| users | Authenticated users |
| self | User associated with target entry |
| dn[.<basic-style>]=<regex> | Users matching a regular expression |
| dn.<scope-style>=<DN> | Users within scope of a DN |
然后执行
$ rm -fr /etc/openldap/slapd.d/*
$ slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
#测试配置文件语法是否有错误,如果提示testing succeeded则可以进入下一步
$ chown -R ldap:ldap /etc/openldap/slapd.d/
$ /etc/init.d/slapd restart
参考文档:
centos 6.4 openldap 2.4 版本 系统认证无法更改密码
OpenLDAP ACL to allow users to change their password
LDAP Access Control