Re: Modifying password by user

[Jonathan Clarke <jonathan@phillipoux.net>]

On 14/04/09 2:35, Franck Royer wrote:
> Hi,
>
>
> I'm installing openldap on a ubuntu intrepid server (8.10). Everything 
> is ok except when I want that a user is able to modify his own 
> password using phpldapadmin (0x32 LDAP_INSUFFICIENT_ACCESS).
>
> So I tried to modify it using ldappasswd :
>
> dante@kollok ~ $ ldappasswd
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>
> or
>
> dante@kollok ~ $ ldappasswd -D "uid=dante,ou=people,dc=kollok,dc=org"
> SASL/DIGEST-MD5 authentication started
> Please enter your password:
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>
> The posix user dante is the same user than the ldap one (I use pam 
> libs). And I know that my password is right cause I can log in 
> ldapadmin or ssh with it.
>
> My slapd.conf : http://pastebin.com/f44dd2b59
> My ldap.conf : http://pastebin.com/f3af1bec3
>
> Any idea ?
Hi,

The errors you are getting with ldappasswd are authentication errors. 
Probably because by default ldappasswd attemps to use a SASL bind. If 
you add the "-x" option to ldappasswd, you should be able to 
authenticate fine.

However, you also mentioned a 0x32 Insufficient access error. This is 
generally an ACL problem. Your slapd.conf seems to define the correct 
ACLs, but each one has an indentation on the first line... indenting a 
line usually means "this is a continuation of the previous line", which 
in your case are comments, so I guess your ACLs are being ignored.

Try removing the indentation in front of "access to ..." (but leave 
indentation on following lines in front of "by ...", restarting and 
trying again.

Regards,
Jonathan