[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldappasswd needing write access to entry

To: openldap-software@OpenLDAP.org
Subject: ldappasswd needing write access to entry
From: Michael Weiser <michael@weiser.saale-net.de>
Date: Tue, 5 Sep 2000 14:45:43 +0200 (CEST)
Cc: Michael Weiser <michael@weiser.saale-net.de>

Hello,

I just set up OpenLDAP 2.0.0 and configured it like this:

defaultaccess: none

access to 
dn="cn=.*,o=org,c=de" filter=(objectClass=person) attr=userPassword
    by dn="cn=Manager,o=org,c=de" sockurl="ldaps://.*" write
    by self sockurl="ldaps://.*" =w
    by * sockurl="ldaps://.*" =x

access to 
dn="cn=.*,o=org,c=de" filter=(objectClass=person) attr=entry,objectClass,cn
    by dn="cn=Manager,o=org,c=de" sockurl="ldaps://.*" write
    by * read

When I set the password using something like

ldapmodify -r -Dcn=user,o=org,c=de -W -f a -H ldaps://server:636/

where a contains

dn: cn=user,o=org,c=de
userPassword: <ssha'd pw>

everything works great. But if I try to change the password using
ldappasswd I get

Result: Insufficient access (50)
Additional info: access to authorization entry denied

I ran slapd with -d129 and saw that the password change extop requests
write access to "entry" and doesn't get it due to my configuration. If I
give it write access to the entry everything works great. But I don't want
to do so for production since I don't know what a user with write access
to her entry might additionally be allowed to do with it.

So my question is: Why does ldappasswd need write access to the user's
entry while ldapmodify doesn't? Any help is grealty appreciated!
-- 
bye, Micha

Prev by Date: problems using ldap_add command line tool
Next by Date: Re: Suggestions for an LDAP browser?
Index(es):
- Chronological
- Thread