[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access permissions



--On Thursday, August 16, 2007 6:25 PM -0500 Adam Williams <awilliam@mdah.state.ms.us> wrote:

Quanah Gibson-Mount wrote:
Well, in your above example here, ADAM binds as TESTUSER not as ADAM,
and so is able to change TESTUSERs password.  I see no problem with
your ACLs, only your test.  I.e., all you have proven is that testuser
can change their own password.

The correct test would be to do:

ldapmodify -D
"uid=adam,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxx -x
-v -f changepasswd.ldif

Yes, I think you are right, I don't have a configuration error, just a logic problem in my head. I was just seeing if I could change testuser's password with the same password testuser is already using. And adam and testuser have the same password, which would make the ldapmodify command succeed whether adam or testuser ran it. I'll try tomorrow with a different password in changepasswd.ldif and see what happens. Thanks!

Um, you still missed my point.

The point here is, you become user "adam" to UNIX, but when you talk to the ldap server, you talk to it as user "testuser". You need to talk to the ldap server as "adam" for your test to be valid. As long as you use "testuser" as your bind dn to the LDAP server, it will always be able to change its own password.

--Quanah

--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration