[Date Prev][Date Next] [Chronological] [Thread] [Top]

Using passwd results in "Insufficient access"



Client side view:

$ passwd
Enter login(LDAP) password:
New password:
Retype new password:
LDAP password information update failed: Insufficient access
passwd: Permission denied
$


Client Info:
Red Hat Linux 7.2

Contents of /etc/ldap.conf:

host station1.example.com
base dc=example,dc=com
ssl start_tls
pam_password md5

Relevent part of Server config running OpenLDAP 2.0.22:

security ssf=128
TLSCertificateFile /usr/share/ssl/certs/slapd.pem
TLSCertificateKeyFile /usr/share/ssl/certs/slapd.key
TLSCACertificateFile /usr/share/ssl/certs/slapd.pem
TLSCipherSuite HIGH:MEDIUM:+SSLv2

access to dn="" by * read

access to *
        by self write
        by users read
        by anonymous auth


Server started with "./slapd -d 129"

Here is the debug right after I retype the "new password":

connection_get(15): got connid=1
connection_read(15): checking for input on id=1
ber_get_next
ber_get_next: tag 0x30 len 59 contents:
ber_get_next
ber_get_next on fd 15 failed errno=11 (Resource temporarily unavailable)
do_bind
ber_scanf fmt ({iat) ber:
ber_scanf fmt (o}) ber:
do_bind: version=3 dn="uid=dkelson,ou=People,dc=example,dc=com" method=128
dn2entry_r: dn: "UID=DKELSON,OU=PEOPLE,DC=EXAMPLE,DC=COM"
=> dn2id( "UID=DKELSON,OU=PEOPLE,DC=EXAMPLE,DC=COM" )
====> cache_find_entry_dn2id("UID=DKELSON,OU=PEOPLE,DC=EXAMPLE,DC=COM"): 135 (1 tries)
<= dn2id 135 (in cache)
=> id2entry_r( 135 )
====> cache_find_entry_id( 135 ) "uid=dkelson,ou=People,dc=example,dc=com" (found) (1 tries)
<= id2entry_r( 135 ) 0x8122c90 (cache)
=> access_allowed: auth access to "uid=dkelson,ou=People,dc=example,dc=com" "userPassword" requested
=> dnpat: [1]  nsub: 0
=> acl_get: [1] matched
=> acl_get: [1] check attr userPassword
<= acl_get: [1] acl uid=dkelson,ou=People,dc=example,dc=com attr: userPassword
=> acl_mask: access to entry "uid=dkelson,ou=People,dc=example,dc=com", attr "userPassword" requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: *
<= acl_mask: [1] applying read (=rscx) (stop)
<= acl_mask: [1] mask: read (=rscx)
=> access_allowed: auth access granted by read (=rscx)
====> cache_return_entry_r( 135 ): returned (0)
do_bind: v3 bind: "uid=dkelson,ou=People,dc=example,dc=com" to "uid=dkelson,ou=People,dc=example,dc=com"
send_ldap_result: conn=1 op=5 p=3
send_ldap_response: msgid=6 tag=97 err=0
ber_flush: 14 bytes to sd 15
connection_get(15): got connid=1
connection_read(15): checking for input on id=1
ber_get_next
ber_get_next: tag 0x30 len 114 contents:
ber_get_next
ber_get_next on fd 15 failed errno=11 (Resource temporarily unavailable)
do_modify
ber_scanf fmt ({a) ber:
ber_scanf fmt ({i{a[V]}}) ber:
dn2entry_r: dn: "UID=DKELSON,OU=PEOPLE,DC=EXAMPLE,DC=COM"
=> dn2id( "UID=DKELSON,OU=PEOPLE,DC=EXAMPLE,DC=COM" )
====> cache_find_entry_dn2id("UID=DKELSON,OU=PEOPLE,DC=EXAMPLE,DC=COM"): 135 (1 tries)
<= dn2id 135 (in cache)
=> id2entry_r( 135 )
====> cache_find_entry_id( 135 ) "uid=dkelson,ou=People,dc=example,dc=com" (found) (1 tries)
<= id2entry_r( 135 ) 0x8122c90 (cache)
====> cache_return_entry_r( 135 ): returned (0)
dn2entry_w: dn: "UID=DKELSON,OU=PEOPLE,DC=EXAMPLE,DC=COM"
=> dn2id( "UID=DKELSON,OU=PEOPLE,DC=EXAMPLE,DC=COM" )
====> cache_find_entry_dn2id("UID=DKELSON,OU=PEOPLE,DC=EXAMPLE,DC=COM"): 135 (1 tries)
<= dn2id 135 (in cache)
=> id2entry_w( 135 )
====> cache_find_entry_id( 135 ) "uid=dkelson,ou=People,dc=example,dc=com" (found) (1 tries)
<= id2entry_w( 135 ) 0x8122c90 (cache)ldbm_modify_internal: UID=DKELSON,OU=PEOPLE,DC=EXAMPLE,DC=COM
=> access_allowed: write access to "uid=dkelson,ou=People,dc=example,dc=com" "userPassword" requested
=> dnpat: [1]  nsub: 0
=> acl_get: [1] matched
=> acl_get: [1] check attr userPassword
<= acl_get: [1] acl uid=dkelson,ou=People,dc=example,dc=com attr: userPassword
=> acl_mask: access to entry "uid=dkelson,ou=People,dc=example,dc=com", attr "userPassword" requested
=> acl_mask: to all values by "UID=DKELSON,OU=PEOPLE,DC=EXAMPLE,DC=COM", (=n)
<= check a_dn_pat: *
<= acl_mask: [1] applying read (=rscx) (stop)
<= acl_mask: [1] mask: read (=rscx)
=> access_allowed: write access denied by read (=rscx)