[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: entry modify failed while trying to change user password



--On Tuesday, July 26, 2005 3:09 PM +0200 Pierangelo Masarati <ando@sys-net.it> wrote:


Hello, I am having some problems with users being able to change their
own passwords on the LDAP server. The result comes back with
"implementation specific error 80" so I assume this means I setup
something incorrectly, but I don't know what. Below is the error, below
that is the security section of my slapd.conf file.

ldappasswd -xSWD "uid=kris,ou=people,dc=xxxxxxxx,dc=com"
New password:
Re-enter new password:
Enter LDAP Password:
Result: Internal (implementation specific) error (80)
Additional info: entry modify failed


"80" means that something so weird happened that there's no standard code
to indicate it.  As such, it might be useful to see what's going on on the
server side, starting from: version, slapd.conf and logs when the problem
occurs.


--
<slapd.conf security section>

access to *
        by * read
access to attrs=userPassword
        by self write
        by * auth

This looks correct.

Actually, I have a question about this. Since access to * by * read comes first, won't the second ACL never be evaluated? My understanding of OpenLDAP ACL's is they stop at the first matching ACL that gives any sort of access (unless there is a by * break in there). And besides, isn't this ACL particularly insecure, in that it would allow anyone to read anyone elses password? I would expect that these two ACL's should be reversed.

--Quanah


--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

"These censorship operations against schools and libraries are stronger
than ever in the present religio-political climate. They often focus on
fantasy and sf books, which foster that deadly enemy to bigotry and blind
faith, the imagination." -- Ursula K. Le Guin