java修改ldap用户密码_LDAP 用户更改自己的密码

LDAP中采用了ACL的权限控制。

在/etc/openldap/slapd.conf文件中：#

#Seeslapd.conf(5)fordetailsonconfigurationoptions.

#ThisfileshouldNOTbeworldreadable.

#

include/etc/openldap/schema/corba.schema

include/etc/openldap/schema/core.schema

include/etc/openldap/schema/cosine.schema

include/etc/openldap/schema/duaconf.schema

include/etc/openldap/schema/dyngroup.schema

include/etc/openldap/schema/inetorgperson.schema

include/etc/openldap/schema/java.schema

include/etc/openldap/schema/misc.schema

include/etc/openldap/schema/nis.schema

include/etc/openldap/schema/openldap.schema

include/etc/openldap/schema/ppolicy.schema

include/etc/openldap/schema/collective.schema

#AllowLDAPv2clientconnections.ThisisNOTthedefault.

allowbind_v2

#DonotenablereferralsuntilAFTERyouhaveaworkingdirectory

#serviceANDanunderstandingofreferrals.

#referralldap://

pidfile/var/run/openldap/slapd.pid

argsfile/var/run/openldap/slapd.args

#Loaddynamicbackendmodules

#-modulepathisarchitecturedependentvalue(32/64-bitsystem)

#-back_sql.laoverlayrequiresopenldap-server-sqlpackage

#-dyngroup.laanddynlist.lacannotbeusedatthesametime

#modulepath/usr/lib/openldap

#modulepath/usr/lib64/openldap

#moduleloadaccesslog.la

#moduleloadauditlog.la

#moduleloadback_sql.la

#moduleloadchain.la

#moduleloadcollect.la

#moduleloadconstraint.la

#moduleloaddds.la

#moduleloadderef.la

#moduleloaddyngroup.la

#moduleloaddynlist.la

#moduleloadmemberof.la

#moduleloadpbind.la

#moduleloadpcache.la

#moduleloadppolicy.la

#moduleloadrefint.la

#moduleloadretcode.la

#moduleloadrwm.la

#moduleloadseqmod.la

#moduleloadsmbk5pwd.la

#moduleloadsssvlv.la

#moduleloadsyncprov.la

#moduleloadtranslucent.la

#moduleloadunique.la

#moduleloadvalsort.la

#ThenextthreelinesallowuseofTLSforencryptingconnectionsusinga

#dummytestcertificatewhichyoucangeneratebyrunning

#/usr/libexec/openldap/generate-server-cert.sh.Yourclientsoftwaremaybalk

#atself-signedcertificates,however.

TLSCACertificatePath/etc/openldap/certs

TLSCertificateFile"\"OpenLDAPServer\""

TLSCertificateKeyFile/etc/openldap/certs/password

#Samplesecurityrestrictions

#Requireintegrityprotection(preventhijacking)

#Require112-bit(3DESorbetter)encryptionforupdates

#Require63-bitencryptionforsimplebind

#securityssf=1update_ssf=112simple_bind=64

#Sampleaccesscontrolpolicy:

#RootDSE:allowanyonetoreadit

#Subschema(sub)entryDSE:allowanyonetoreadit

#OtherDSEs:

#Allowselfwriteaccess

#Allowauthenticatedusersreadaccess

#Allowanonymoususerstoauthenticate

#Directivesneededtoimplementpolicy:

#accesstodn.base=""by*read

#accesstodn.base="cn=Subschema"by*read

#下面的控制权限的语句。

accesstodn.subtree="ou=People,dc=bawo,dc=cn"attrs=userPassword,shadowLastChange

bydn="cn=admin,dc=bawo,dc=cn"write

byselfwrite

byanonymousauth

by*read

#accesstoattrs=uid,uidNumber,gidNumber,memberUid

#by*read

#ifnoaccesscontrolsarepresent,thedefaultpolicy

#

#allowsanyoneandeveryonetoreadanythingbutrestricts

#updatestorootdn.(e.g.,"accessto*by*read")

#

#rootdncanalwaysreadandwriteEVERYTHING!

#enableon-the-flyconfiguration(cn=config)

databaseconfig

accessto*

bydn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"manage

by*none

#enableserverstatusmonitoring(cn=monitor)

databasemonitor

accessto*

bydn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"read

bydn.exact="cn=admin,dc=bawo,dc=cn"read

by*none

#######################################################################

#databasedefinitions

#######################################################################

databasebdb

suffix"dc=XX,dc=cn"

checkpoint102415

rootdn"cn=admin,dc=XX,dc=cn"

#Cleartextpasswords,especiallyfortherootdn,should

#beavoided.Seeslappasswd(8)andslapd.conf(5)fordetails.

#Useofstrongauthenticationencouraged.

rootpw123456

#rootpw{crypt}ijFYNcSNctBYg

#ThedatabasedirectoryMUSTexistpriortorunningslapdAND

#shouldonlybeaccessiblebytheslapdandslaptools.

#Mode700recommended.

directory/var/lib/ldap

#Indicestomaintainforthisdatabase

indexobjectClasseq,pres

indexou,cn,mail,surname,givennameeq,pres,sub

indexuidNumber,gidNumber,loginShelleq,pres

indexuid,memberUideq,pres,sub

indexnisMapName,nisMapEntryeq,pres,sub

添加完上面的语句后，然后需要更新这个配置文件到ldap的服务中。serviceslapdstop

rm-rf/etc/openldap/slapd.d/

chown-Rldap:ldap/var/lib/ldap

chown-Rldap:ldap/etc/openldap/

#测试并生成配置文件：

slaptest-f/etc/openldap/slapd.conf-F/etc/openldap/slapd.d

#返回configfiletestingsucceeded,则配置成功。

chown-Rldap:ldap/etc/openldap/slapd.d

serviceslapdrestart

完成之后，就把LDAP的权限设置成功了。用户可以在phpLDAPadmin中自行修改自己的密码了。

其他设置项目可以自行探索。

其他权限设置参考