Hi Ralf, hi MJ, Thanks for the answers up to now!
According to the docs [1] there is the following option for LDAP user sources: bindAsCurrentUser If set to YES, SOGo will always keep binding to the LDAP server using the DN of the currently authenticated user. If bindFields is set, bindDN and bindPassword will still be required to find the proper DN of the user. In this case the user should be able to change it's own password via SOGo. For this to work, you either need bindFields set (for looking up the users DN) or IDFieldName (the attribute which builds the users' DN (like IDFieldName=<loginname>, baseDN). MJ, I don't know if that works in combination with SAML - since SOGo shouldn't know the users password, it probably binds using the given bindDN, which then would need the rights to change other users passwords. Ralf, I'm not sure what you're looking for. If you need a frontend for password self service, I would either go with the SOGo functionality built in, or with the already named LAM. In my use case I have an existing user management via a Zend Framework application, which allows that similarly to LAM (we use an admin user to set userPassword, setting a custom built crypt-hash using SHA512 with a nice number of rounds - should work with most Linux distros [2]). If you're asking regarding OpenLDAP ACLs to allow a user to change it's own password, you would find that here: [3] I don't really know much about the SOGo features itself, since I'm using SAML auth. Regards, Christoph [1] https://sogo.nu/files/docs/SOGoInstallationGuide.html#_authentication_using_ldap [2] https://en.m.wikipedia.org/wiki/Crypt_(C)#Support_in_operating_systems [3] http://www.openldap.org/lists/openldap-software/200212/msg00518.html > Am 31.01.2017 um 14:52 schrieb lists (li...@merit.unu.edu) <users@sogo.nu>: > > Hi > >> we are looking for a password change machanism for openldap. Can you >> please share your knowledge re. this? > In active directory, end users are allowed to change their own passwords by > default. This does require that the connection is make over ldapS. > > There is a tool called ldap-account-manager (lam) that we used in the past. > It included an end-user password change portal. > (https://www.ldap-account-manager.org/) > > We are also looking currently testing RedHat's keycloak (SAML/oauth Idp) that > will prompt users to change their ldap passwords as well, if they have > expired. > (http://www.keycloak.org/) > > And you're right: Perhaps better to take this offlist if you have more > questions. (and yes, I also realise that your question was actually aimed at > Christoph) > > Best regards to all, > MJ > -- > users@sogo.nu > https://inverse.ca/sogo/lists -- users@sogo.nu https://inverse.ca/sogo/lists
