[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: can't chang ldap user passwd by self

To: Dan White <dwhite@cafedemocracy.org>
Subject: Re: can't chang ldap user passwd by self
From: feora <studyfordo@163.com>
Date: Sun, 12 Apr 2015 22:56:26 +0800
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=Message-ID:Date:From:MIME-Version:Subject; bh=4ryWG 0n2ptpoSSs6J25IVxopjgc3a8gxHxd40ukMprA=; b=OGojB6P0+LyPNb1oBzPmQ f02rWpTV/rXC0ELv2MyfmUZNMDWDPsvwU2oOG4fpZbEoE0SeMq2m3VSrr7KlEHM+ 0NJS9ETvICtwuoyhpHTVFi+U+lw7dedcI6ZAzI0hwLx+NJkj6kU9RmNmxYGrYHsA /2yX2vimbGe1GVgqBO9/j4=
In-reply-to: <552A7BB2.3080406@163.com>
References: <000001d06b97$adc1b010$09451030$@com> <20150401174055.GA3962@dan.olp.net> <552A7BB2.3080406@163.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0

I found log in ldap.log file

Apr 12 14:20:54 abc slapd[3136]: => access_allowed: auth access to "uid=bobliu,ou=it,dc=abc,dc=com" "userPassword" requested
Apr 12 14:20:54 abc slapd[3136]: => slap_access_allowed: backend default auth access granted to "(anonymous)"
Apr 12 14:20:54 abc slapd[3136]: => access_allowed: auth access granted by read(=rscxd)
Apr 12 14:20:54 abc slapd[3136]: => access_allowed: backend default write access denied to "uid=bobliu,ou=it,dc=abc,dc=com"

why access granted to anoymous not bobliu.

On 04/12/2015 10:05 PM, feora wrote:

hi, Dan
       thanks for u answer.
    I still a little confused about it.
   I run the following command
    /opt/openldap/bin/ldappasswd -x -D "uid=bobliu,ou=it,dc=abc,dc=com" -W -S
New password:
Re-enter new password:
Enter LDAP Password:
Result: Insufficient access (50)

    when I run ldapsearch is ok.

/opt/openldap/bin/ldapsearch -x -D "uid=bobliu,ou=it,dc=abc,dc=com" -W

# bobliu, it, abc.com
dn: uid=bobliu,ou=it,dc=abc,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: bobliu
sn: fei
givenName: bobliu
cn: bobliu
displayName: bobliu
uidNumber: 10010
gidNumber: 10010
loginShell: /bin/bash
homeDirectory: /home/bobliu
mail: bobliu@abc.com
userPassword:: e3NzaGF9c1RLZW5oL2kxdmlocGw1NG55dUQybHA4ZldSM3o5RzIwdGZwSnc9PQ=
=

any advice. thanks

On 04/02/2015 01:40 AM, Dan White wrote:

On 03/31/15 17:47 +0800, rockwang wrote:

access to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=Manager,dc=abc,dc=com"
by * none

access to *
             by self write
             by dn.base="cn=Manager,dc=abc,dc=com"
             by * read
             by * none

my question is user can't change his own password. I use following command
so I have different result.

<img />

when not add -x

<img />

Consult the manpage for ldappasswd. In the first case (simple bind) you did
not provide a binddn (-D). In the second case, you directed ldappasswd to
perform a SASL bind but did not correctly provide an authentication
identity, and the sasl mechanism negotiated could not derive one.

Hint: if using a simple bind, specify a full DN (with -D), and not a
uid.

Follow-Ups:
- Re: can't chang ldap user passwd by self
  - From: Dan White <dwhite@cafedemocracy.org>
- Re: can't chang ldap user passwd by self
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

References:
- can't chang ldap user passwd by self
  - From: "rockwang" <studyfordo@163.com>
- Re: can't chang ldap user passwd by self
  - From: Dan White <dwhite@cafedemocracy.org>
- Re: can't chang ldap user passwd by self
  - From: feora <studyfordo@163.com>

Prev by Date: Re: can't chang ldap user passwd by self
Next by Date: Antw: Re: Help: LDAP using alias to reference value of another attribute
Index(es):
- Chronological
- Thread