[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Building openldap with overlays



Sounds like a flaw in the ppolicy schema definition. You can work around this by adding "NO-USER-MODIFICATION" to the definition of the operational attributes in ppolicy.c. (Seems counter-intuitive, but it will work.)

Spicer, Kevin (MBLEA it) wrote:

-----Original Message-----
From: Howard Chu [mailto:hyc@symas.com] Ah, right.





You cannot build the module in HEAD and use it with 2.2.18. You must


copy the ppolicy.c >source to the 2.2.18 build tree and build it there.

Right, thanks.  That works now, and all the tests are okay.  Hurrah!

However I now have one (hopefully) small issue with access controls...

If I use the ldappasswd command to update a users password it works fine
if I bind as the rootdn, but refuses to work if I bind as the user
themselves, i.e.

ldappasswd -Z -x -D "uid=user,ou=People,dc=example,dc=com" -w oldpw -a
oldpw -s newpw


I get
Result: Insufficient access (50)

Looking at the logs I can see (trimmed)
acl_mask: access to entry "uid=user,ou=People,dc=example,dc=com", attr
"pwdChangedTime" requested
access_allowed: write access denied by read(=rscx)

Now this is clearly because my slapd.conf only allows 'self write'
access to userPassword, whereas the test slapd.conf allows 'access to *
by self write'. pwdChangedTime is an operational attribute, so I don't seem to be able
to set ACL's on it in slapd.conf (other than with a wildcard). Also I
would have thought that it is not desirable to give a user write access
to the password expiry control information in their own account(?)




BMRB International http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the recipient and may contain confidential and/or privileged material. If you have received this in error, please contact the sender and delete this message immediately. Disclosure, copying or other action taken in respect of this email or in reliance on it is prohibited. BMRB International Limited accepts no liability in relation to any personal emails, or content of any email which does not directly relate to our business.










--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support