Insufficient acces in some cases

[Ervin Hegedüs <airween@gmail.com>]

Hi, there is an interesting insufficient access problem...

There are 3 (in dev environment 2) multimaster ldap node.

There is a simple web frontend, written in PHP, where user can
change its own password, or can get a link to set up a new pass
if old one had lost.

In some cases (some users) the user can't change the own password
through PHP. When I change it from webserver with ldapmodify and
a simple ldif file, it works as well.

But when I try to modify the passwd through PHP, I got
"Insufficient access" error, and these lines are in syslog:


Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => access_allowed: search access to "uid=comp1_user1,ou=Users,ou=COMP1,dc=wificloud,dc=company,dc=hu" "objectClass" requested
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => dn: [2] ou=djp,dc=wificloud,dc=company,dc=hu
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => dnpat: [3] ou=(AH|Delta|Comp1|Comp2|Comp3),dc=wificloud,dc=company,dc=hu nsub: 1
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => acl_get: [3] matched
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => acl_get: [3] attr objectClass
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => match[dn0]: 26 60
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: o
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: u
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: =
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: o
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: m
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: p
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: 1
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: ,
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: d
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: =
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: w
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: i
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: f
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: i
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: l
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: o
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: u
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: d
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: ,
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: d
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: =
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: o
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: m
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: p
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: a
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: n
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: y
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: ,
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: d
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: =
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: h
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: u
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: 

(I replaced names and chars, so the match[dn0] numbers are not
correct).


Only few users can trigger this problem (don't know why), and
only through PHP.


What's the problem here?



Thanks,


a.