[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ldappasswd needing write access to entry
Hello,
I just set up OpenLDAP 2.0.0 and configured it like this:
defaultaccess: none
access to
dn="cn=.*,o=org,c=de" filter=(objectClass=person) attr=userPassword
by dn="cn=Manager,o=org,c=de" sockurl="ldaps://.*" write
by self sockurl="ldaps://.*" =w
by * sockurl="ldaps://.*" =x
access to
dn="cn=.*,o=org,c=de" filter=(objectClass=person) attr=entry,objectClass,cn
by dn="cn=Manager,o=org,c=de" sockurl="ldaps://.*" write
by * read
When I set the password using something like
ldapmodify -r -Dcn=user,o=org,c=de -W -f a -H ldaps://server:636/
where a contains
dn: cn=user,o=org,c=de
userPassword: <ssha'd pw>
everything works great. But if I try to change the password using
ldappasswd I get
Result: Insufficient access (50)
Additional info: access to authorization entry denied
I ran slapd with -d129 and saw that the password change extop requests
write access to "entry" and doesn't get it due to my configuration. If I
give it write access to the entry everything works great. But I don't want
to do so for production since I don't know what a user with write access
to her entry might additionally be allowed to do with it.
So my question is: Why does ldappasswd need write access to the user's
entry while ldapmodify doesn't? Any help is grealty appreciated!
--
bye, Micha