[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL Problem, Insufficient access (50)
At 06:19 AM 12/22/2005, Amir Saad wrote:
>i use openldap 2.3.11 , Heimdal Kerberos , Fedora 4
>
>login authenticated through kerberos and i use ldap for user info (instead of NIS)
>
>the problem is i cannot change password for any authenticated user using GSSAPI even with rootdn
>i tried to use -x and it worked only with the rootdn
>
>here is my ACL files: (manager is my rootdn)
>*************************************************************************************************************************
>access to dn.regex="uid=(.*),ou=People,dc=test,dc=domain,dc=mydomain,dc=org" attrs=userPassword
> by dn="cn=Manager,dc=test,dc=domain,dc=mydomain,dc=org" write
> by self write
> by * auth
>access to dn.regex="uid=(.*),ou=People,dc=test,dc=domain,dc=mydomain,dc=org"
> by * read
>access to dn.regex="uid=(.*),ou=People,dc=test,dc=domain,dc=mydomain,dc=org"
> by self write
> by * read
>*************************************************************************************************************************
>
>and here is the error:
>**************************************************************************************************************************
>ldappasswd -Y GSSAPI -S "uid=sonne,ou=People,dc=test,dc=domain,dc=mydomain,dc=org "
>New password:
>Re-enter new password:
>SASL/GSSAPI authentication started
>SASL username: sonne@TEST.DOMAIN.MYDOMAIN.ORG
>SASL SSF: 56
>SASL installing layers
>Result: Insufficient access (50)
>*****************************************************************************
>
>i hope you can help!
>thanks alot
>Amir Saad
>Software Engineer
You seem to making an assumption that the user's authzDN
is "uid=sonne,ou=People,dc=test,dc=domain,dc=mydomain,dc=org "
that is likely false. You should use ldapwhoami(1) to determine
what authzDN is associated with the user and, if then, use
slapd.conf(5)'s authz-regexp directive to do appropriate
identity mapping so that 'self' works as desired.