[Date Prev][Date Next] [Chronological] [Thread] [Top]

access permissions

To: openldap-software@OpenLDAP.org
Subject: access permissions
From: Adam Williams <awilliam@mdah.state.ms.us>
Date: Thu, 16 Aug 2007 12:19:23 -0500
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070802 SeaMonkey/1.1.4

I'm reading through Chapter 6 of the Openldap Software 2.3 Admninistrator's Guide, but I'm a little confused on access permissions. I think my access permissions are wrong.

I have 2 users loaded in openldap, adam and testuser.  in slapd.conf I have:

access to attrs=userPassword
       by self write
       by anonymous auth
       by dn.base="cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" write
       by * none
access to *
       by self write
       by dn.base="cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" write
       by * read

but adam can change testuser's password, and I want it so that a user can only change their password and not someone else's:

[root@gomer ~]# su -l adam [adam@gomer ~]$ ldapmodify -D "uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxx -x -v -f changepasswd.ldif ldap_initialize( <DEFAULT> ) replace userPassword: {CRYPT}xxxxxxxxxxxx modifying entry "uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" modify complete

[root@gomer ~]# cat ~adam/changepasswd.ldif
dn: uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us
changetype: modify
userPassword: {CRYPT}xxxxxxxxxxx


And adam and testuser are different users:

[root@gomer ~]# ldapsearch -D 'cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us' -b "uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxx -x # extended LDIF # # LDAPv3 # base <uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us> with scope subtree # filter: (objectclass=*) # requesting: ALL #

# testuser, People, gomer.mdah.state.ms.us
dn: uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us
uid: testuser
cn: test user
telephoneNumber: xxxxxxx
roomNumber: IS
homePhone: xxxxxxxx
givenName: test
sn: user
mail: testuser@dc=mdah,dc=state,dc=ms,dc=us
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 13705
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 101
homeDirectory: /home/testuser
gecos: test user,IS,xxxxxxx,xxxxxxxxx
userPassword:: xxxxxxxxxxxxx

# search result
search: 2
result: 0 Success

# numResponses: 2 # numEntries: 1 [root@gomer ~]# ldapsearch -D 'cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us' -b "uid=adam,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxxx -x # extended LDIF # # LDAPv3 # base <uid=adam,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us> with scope subtree # filter: (objectclass=*) # requesting: ALL #

# adam, People, gomer.mdah.state.ms.us
dn: uid=adam,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us
uid: adam
cn: adam williams
telephoneNumber: xxxxxxxxxxxxx
roomNumber: IS
homePhone: xxxxxxxxxxx
givenName: adam
sn: williams
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: xxxxxxxxxxxxxxxxx
shadowLastChange: 13705
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 100
homeDirectory: /home/adam
gecos: adam williams,IS,xxxxxxx,xxxxxxx
mail: awilliam@mdah.state.ms.us

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Follow-Ups:
- Re: access permissions
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: TLS verify errors
Next by Date: dap_bind: Invalid DN syntax (34)
Index(es):
- Chronological
- Thread