[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Simple question about access controls
- To: openldap-software@OpenLDAP.org
- Subject: Simple question about access controls
- From: Darcy Kroeker <darcy.kroeker@gmail.com>
- Date: Thu, 23 Jun 2005 16:10:17 -0400
- Content-disposition: inline
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=T6e3beBERcXalMlGPQpKuDDw+xbdjEPEI9tBf/Q8oZMMDZv1zc3xpB4RkgSg5enz+Up29QdTMd1TO6awfc63pGqy1mz5U6nb1WnGcirrgJZmiXDmAkE4Q0NM5Znr6BIaPrJ8mVI/U11kELu4RpuGBl42MyPWNi5TgBiz8Cmb33g=
Hi List,
I'm new to openldap and I'm having trouble getting even the most
simple access controls to work.
I have an openldap (2.2.27) server set up (on RH9) and a client (FC3)
set up to authenticate using the ldap. I have created a test user
named testguy.
With the default acls ("access to * by * read") my testguy can
authenticate, but cannot change his password. This is exactly what I
expect.
If I change it to "access to * by * write" then testguy can change his
password with no trouble. Again, exactly what I expect (though it's
not a smart policy).
But if I change the acl to almost anything else, testguy either loses
the ability to authenticate or loses the ability to change password.
For example, here's a rule (still very simple):
access to *
by self write
by * read
I believe this should allow testguy to authenticate due to the "by *
read" line, and change password due to the "by self write" line. But
nope. Testguy can still authenticate, but an attempt to change
password gets:
LDAP Password incorrect: try again
The above is using the passwd command. Just to try something else, I
tried using ldappasswd instead, I get:
>ldappasswd -WS -x -v "uid=testguy,ou=people,dc=tcl,dc=com"
ldap_bind: Invalid credentials (49)
As a sanity check, I try the same thing but bind as rootdn instead. It works:
>ldappasswd -WS -x -v -D "cn=manager,dc=tcl,dc=com"
"uid=testguy,ou=People,dc=tcl,dc=com"
...
Result: Success (0)
This is pretty basic stuff so I assume I've got something set up
wrong. But what? What am I missing here? Any clues where to look would
be great.
Thanks,
Darcy