directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <akaras...@gmail.com>
Subject Re: Restting the password for admin user
Date Sat, 19 Sep 2009 14:34:59 GMT
On Sat, Sep 19, 2009 at 4:36 PM, Stefan Zoerner <stefan@labeo.de> wrote:

> Alex Karasulu wrote:
>
>> The administrator entry is just like any other entry and the userPassword
>> field is like any other attribute.   You can use these LDAP client tools
>> to
>> update this attribute just the same way even on your SUN machine since
>> this
>> goes over the wire.
>>
>> Hence this mechanism also works for ApacheDS however note that you'll need
>> either the SUN or the OpenLDAP client since we don't have command line
>> tools.
>>
>
> I assume the question is: How to reset the password, if forgotten. The only
> idea I currently have:
>
> - Allow anonymous bind with complete authorization.
> - Reset the password attribute, just as Alex proposes
> - disallow anonymous bind with complete authorization.
>
> But I am not sure, whether opening the server that way is possible (be sure
> that it is not available over the wire for others at that time).
>
>
If you've forgotten the administrator password and cannot bind to reset then
Stefan is absolutely right about having to open up the server.  There are 2
things you'll need to do.  Remove all the authorization interceptors and
enable anonymous binds.  This way you'll be able to have anyone reset the
administrator password.  Then you can re-enable the authorization and shut
off anonymous binds.  It would be nice to have some self service
applications to run in the embedded Jetty container now that we have the
container integrated.  This would make it really easy for users to manage
and reset their passwords.

Really I recommend setting the admin password to something and stowing it
away.  You can elevate regular users to administrator status by putting them
in the Administrator group.  The authorization subsystem checks to see if
users are in this group to give them administrator rights.

Regards,
-- 
Alex Karasulu
My Blog :: http://www.jroller.com/akarasulu/
Apache Directory Server :: http://directory.apache.org
Apache MINA :: http://mina.apache.org

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message