[Date Prev][Date Next] [Chronological] [Thread] [Top]

access permissions



I'm reading through Chapter 6 of the Openldap Software 2.3 Admninistrator's Guide, but I'm a little confused on access permissions. I think my access permissions are wrong.

I have 2 users loaded in openldap, adam and testuser.  in slapd.conf I have:

access to attrs=userPassword
       by self write
       by anonymous auth
       by dn.base="cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" write
       by * none
access to *
       by self write
       by dn.base="cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" write
       by * read

but adam can change testuser's password, and I want it so that a user can only change their password and not someone else's:

[root@gomer ~]# su -l adam
[adam@gomer ~]$ ldapmodify -D "uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxx -x -v -f changepasswd.ldif
ldap_initialize( <DEFAULT> )
replace userPassword:
{CRYPT}xxxxxxxxxxxx
modifying entry "uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us"
modify complete


[root@gomer ~]# cat ~adam/changepasswd.ldif
dn: uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us
changetype: modify
userPassword: {CRYPT}xxxxxxxxxxx


And adam and testuser are different users:

[root@gomer ~]# ldapsearch -D 'cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us' -b "uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxx -x
# extended LDIF
#
# LDAPv3
# base <uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#


# testuser, People, gomer.mdah.state.ms.us
dn: uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us
uid: testuser
cn: test user
telephoneNumber: xxxxxxx
roomNumber: IS
homePhone: xxxxxxxx
givenName: test
sn: user
mail: testuser@dc=mdah,dc=state,dc=ms,dc=us
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 13705
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 101
homeDirectory: /home/testuser
gecos: test user,IS,xxxxxxx,xxxxxxxxx
userPassword:: xxxxxxxxxxxxx

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root@gomer ~]# ldapsearch -D 'cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us' -b "uid=adam,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxxx -x # extended LDIF
#
# LDAPv3
# base <uid=adam,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#


# adam, People, gomer.mdah.state.ms.us
dn: uid=adam,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us
uid: adam
cn: adam williams
telephoneNumber: xxxxxxxxxxxxx
roomNumber: IS
homePhone: xxxxxxxxxxx
givenName: adam
sn: williams
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: xxxxxxxxxxxxxxxxx
shadowLastChange: 13705
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 100
homeDirectory: /home/adam
gecos: adam williams,IS,xxxxxxx,xxxxxxx
mail: awilliam@mdah.state.ms.us

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1