[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: change password not possible for all users



Jürgen Magin a écrit :

Alexandre Garel schrieb:

Jürgen Magin a écrit :

Hi list

I have an issue with ACL's  for attribute userPassword .

The entry in slapd.conf  is
access to attr=userPassword
       by self write
       by anonymous auth
       by dn="cn=Manager,dc=rfsystems,dc=de" write
       by * none

For a user like
   "cn=Nobody,dc=rfsystems,dc=de"
it is possible to change the his password, but a user like
   "cn=Nobody,ou=sales,dc=rfsystems,dc=de"
it is not.
I tried several entries for userPassword, but it doesn't work.
What do i wrong.
Any advice is appreciated.


ps: please, don'T tell me read slapd.access or something like that. I tried it before.

Is there any other ACL rule before that one ? When openldap processes ACL it stops to the first acl which what close fits .


These ACL's are before the userPassword ACL.

access to dn="cn=Manager,dc=rfsystems,dc=de"
by * none
access to dn="cn=Gott,dc=rfsystems,dc=de" attr=userPassword
by self write
by * auth
access to dn.children="dc=rfsystems,dc=de" filter="objectclass=sambaSamAccount"
by dn="cn=Administrator,ou=Users,ou=Netzwerk,dc=rfsystems,dc=de" write
by * read

Does your users have the sambaSamAccount objectClass ?
In this case I am confused since I would expect "cn=Nobody,ou=sales,dc=rfsystems,dc=de" to work and "cn=Nobody,dc=rfsystems,dc=de" not to since it match the above rule and then just have read acess to its account (ACL processing stops at the first rule with a matching "what").
Try changing rules order (rule on password attribute could be the second one).


appart from this, is your first rule usefull ? The directory manager account exists in the slapd.conf file but does not have to exist as an entry in the directory (it's only virtual).