Hello, I've changed my acl like this: access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange by dn="cn=nssldap,ou=DSA,dc=moldex,dc=group" write by anonymous auth by self write access to * by self write by * read and still get. => access_allowed: read access to "uid=techsupport,ou=Users,dc=moldex,dc=group" "userPassword" requested => acl_get: [1] attr userPassword => slap_access_allowed: result not in cache (userPassword) => acl_mask: access to entry "uid=techsupport,ou=Users,dc=moldex,dc=group", attr "userPassword" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: cn=nssldap,ou=dsa,dc=moldex,dc=group <= check a_dn_pat: self <= check a_dn_pat: anonymous <= acl_mask: [3] applying auth(=xd) (stop) <= acl_mask: [3] mask: auth(=xd) => slap_access_allowed: read access denied by auth(=xd) => access_allowed: no more rules this only happend if smbk5pwd is enabled. My pam_ldap config looks like this: base dc=moldex,dc=group uri ldap://127.0.0.1 ldap_version 3 rootdn cn=nssldap,ou=dsa,dc=moldex,dc=group referrals yes timelimit 30 bind_timelimit 30 bind_policy hard nss_reconnect_tries 1 nss_reconnect_sleeptime 1 nss_reconnect_maxsleeptime 2 nss_reconnect_maxconntries 1 nss_base_passwd ou=Users,dc=moldex,dc=group?one nss_base_passwd ou=Computers,dc=moldex,dc=group?one nss_base_shadow ou=Users,dc=moldex,dc=group?one nss_base_group ou=Groups,dc=moldex,dc=group?one nss_initgroups_ignoreusers backup,bin,daemon,dhcp,games,gnats,irc,klog,libuuid,list,lp,mail,man,news,openldap,proxy,root,sshd,sync,sys,syslog,uucp,www-data ssl off pam_lookup_policy yes pam_password exop Thanks, greek --- On Sat, 7/26/08, Dieter Kluenter <dieter@dkluenter.de> wrote: From: Dieter Kluenter <dieter@dkluenter.de> |