[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL problem -- user accessing own password
Hi all,
I have an interesting (well, to me anyway :-) ACL question. My ACLs
are set up like this:
access to attrs=userPassword
by self write
by dn="uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com" write
by anonymous auth
by * search
access to attrs=entry
by self write
by dn="uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com" write
by * read
access to *
by dn="uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com" write
by * read
The entries I am binding as look like this, a pretty standard
posixAccount record, and our own created admin class record:
dn: uid=chris,dc=au,dc=cordoors,dc=com
objectClass: posixAccount
uidNumber: 1946
gidNumber: 400
homeDirectory: /usr/users/chris
loginShell: /bin/tcsh
gecos: Chris Robertson
cn: Chris Robertson
uid: chris
userPassword: myencryptedpassword
dn: uid=chris,ou=CIAdmin,dc=au,dc=cordoors,dc=com
objectClass: ciAdministrator
cn: Chris
sn: Robertson
uid: chris
ou: Artarmon
l: nsw
description: Ldap Directory Programmer
userPassword: myotherencryptedpassword
When I bind as the directory root DN, I can see the userPassword
attribute, but not if I bind as either of the two records above:
ldapsearch -x -C -LLL -W -D uid=chris,dc=au,dc=cordoors,dc=com '(uid=chris)' userPassword
and
ldapsearch -x -C -LLL -W -D uid=chris,ou=CIAdmin,dc=au,dc=cordoors,dc=com '(uid=chris)' userPassword
both produce only
dn: uid=chris,ou=CIAdmin,dc=au,dc=cordoors,dc=com
dn: uid=chris,dc=au,dc=cordoors,dc=com
There is no doubt that I am binding OK, as I a) get no error message, and
b) can see the rest of the record.
Any ideas?
--Chris Robertson
Corinthian Engineering