[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL problem -- user accessing own password



Hi all,

I have an interesting (well, to me anyway :-) ACL question.  My ACLs
are set up like this:

access to attrs=userPassword
    by self write
    by dn="uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com" write
    by anonymous auth
    by * search
access to attrs=entry
    by self write
    by dn="uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com" write
    by * read
access to *
    by dn="uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com" write
    by * read

The entries I am binding as look like this, a pretty standard
posixAccount record, and our own created admin class record:

dn: uid=chris,dc=au,dc=cordoors,dc=com
objectClass: posixAccount
uidNumber: 1946
gidNumber: 400
homeDirectory: /usr/users/chris
loginShell: /bin/tcsh
gecos: Chris Robertson
cn: Chris Robertson
uid: chris
userPassword: myencryptedpassword


dn: uid=chris,ou=CIAdmin,dc=au,dc=cordoors,dc=com
objectClass: ciAdministrator
cn: Chris
sn: Robertson
uid: chris
ou: Artarmon
l: nsw
description: Ldap Directory Programmer
userPassword: myotherencryptedpassword

When I bind as the directory root DN, I can see the userPassword
attribute, but not if I bind as either of the two records above:

ldapsearch -x -C -LLL -W -D uid=chris,dc=au,dc=cordoors,dc=com '(uid=chris)' userPassword
and
ldapsearch -x -C -LLL -W -D uid=chris,ou=CIAdmin,dc=au,dc=cordoors,dc=com '(uid=chris)' userPassword

both produce only

dn: uid=chris,ou=CIAdmin,dc=au,dc=cordoors,dc=com

dn: uid=chris,dc=au,dc=cordoors,dc=com

There is no doubt that I am binding OK, as I a) get no error message, and
b) can see the rest of the record.

Any ideas?

--Chris Robertson
Corinthian Engineering