Re: ACL problem

[Samuel Tran <stran@amnh.org>]

On Tue, 2005-11-01 at 22:00 +0800, Feifei Jia wrote:
> On 10/31/05, Samuel Tran <stran@amnh.org> wrote:
> >
> > Sorry I made a mistake; it should be $2 instead of $1 in the who clause:
> >
> > access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$"
> >         by dn.one,expand="ou=Admin,dc=$2,dc=com" write
> >
> > Sam
> >
> 
> Cool, that works, thanks.
> 
> But there's a weird problem, the "userPassword" of entries in
> ou=People,dc=([^,]+),dc=com, either using my slapd admin account or
> entries in ou=Admin,dc=$2,dc=com was invaild. I could successfully add
> the "userPassword", but when I used the "Password" to auth (say,
> ldapsearch), "ldap_bind: Invalid credentials (49)" showed up.
> 
> All the entries not in ou=People,dc=([^,]+),dc=com can auth well. I
> added a new rule and put it before "access to attrs=userPassword"
> (slapd.conf default ACL):
> access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$" attrs=userPassword
> 
> Still the same :(

Please could you post all your ACL rules?

Try to add this rule before the other rule:

access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$"
attrs=userPassword
	by dn.one,expand="ou=Admin,dc=$2,dc=com" write
	by self write
	by anonymous auth

This will allow:
- the admins to modify userPassword
- the users to modify their own userPassword
- anonymous to authenticate

--
Sam