[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Insufficient acces in some cases

To: openldap-technical@openldap.org
Subject: Re: Insufficient acces in some cases
From: Clément OUDOT <clement.oudot@worteks.com>
Date: Tue, 18 Sep 2018 21:40:00 +0200
Autocrypt: addr=clement.oudot@worteks.com; prefer-encrypt=mutual; keydata= xsFNBFrYrkABEAC/AR9ZPZh3pjfYG/D4V7cFSN7Xv1qgVoudHKCjn5WeLuZXyBtWM6RGHIyo JIPjXcU8mG0+SWQf+e9IENuvQ1wEqtkUZ1YQtyYMGAOfIP2YK+nC+4R7xv2ZLuiQk37/8DS5 dT82h0vCSQbemdecH4UY3vrUeHBxiz95Nt6RtCpWDrICb0gyQJ23hwGMPkSrCSCC1uVexpuP YBTjKO1BPqjbGOWNbOuBpgwpBUzdIGX63Cfssy3OU1AiBilpOvHGYUSXblyFzQCFSmNFgNqJ 1CIIjS6+tO46uL0VgT4KYKcGR+Zn/krqTPq+BBXBOpDnuhGKf8BI+m6FPpiCPBGk6PQbUjIw WtMwXsda8qSNQ1Odsk8YlS24nkjsHc0N/VExxpYle/EfbkwqdsaLNhgJZoyGtJ7zLy4NJVs4 rJMiF7d3P6rVjWnXb5o3LkgrDjlvlwchNGWWEbdaVw4snnrPfHX1qq2LhDcTcK4NguZMAKTV O1ziZvlUejtD7VSjfK/3XPsF4/5wPXbyQ96xab9RWwNkjqdj1xDJTQLAb+4iCNZZf7e7P4JY IUSrX8ymT49JfvruSrWgKtJllnKqoHB+81LBmqlKxje+n2+z2gDJJbcPkieGeoDFWYidpIWK 9TzOGSSaDZhA+gq+lwQ8rBzpyuoCAJWYc3Y39T0P6aGK19u9IwARAQABzSpDbMOpbWVudCBP VURPVCA8Y2xlbWVudC5vdWRvdEB3b3J0ZWtzLmNvbT7CwX0EEwEIACcFAlrYrkACGyMFCQlm AYAFCwkIBwIGFQgJCgsCBBYCAwECHgECF4AACgkQrgYhihiI5FRoEhAAo/1/zBlAOE90VYc+ syjBjd3WtiAcn3Om3sGHVe60XwUqdpPEYVgFTMrim1geWfDxACUpzpUZLUEN32HfjpkVz01H gQs84xFLytcNcRmXEcVCiO1zbjGQUll7PA7nHlNTgtM/XRZpTf1woB2SFvccvVJWMjXlG3aY u8CzlMdR8l17wV9kzavvmQR4BnCdEqeyJHTuZ8D2k6mUay8WkM5+AYMcMZhAlsWSbZdNu+zP q/WT+fNU9uWf6rI6uDPzNFyr1VI3q5alOdp6k+qlFuqmq1uS7yfa+HHpgxufyqxheZbdJAum E4GsFsdhJHkUGeneaoS+WzVuAi/PMLbJ178aF94DeMmWJZbqshBJ5bNFKnZaerQzxHokdPUt mFggjVr7WT4yyUsdjbuZLE/UxCSQj+nyPNTFAYg5Y4AapzoeTGy1HnY4Z+G6TFbHVdqEoffE gnUaIRhhwVvCl6YdjqYeJTuA2pcVPMRgG7KTNC6uVNKx7VhSVl8is3cpG0fiNJ0ZXdHr1I6p N7+xD21TtT75ZirfIkz3lGyMaZagi/QoBI+ghuXwq5ggFdu3/gzLmFpNt6MFnGzivjc3vUqI oQSfEvQjeSdeEoULkOECwi9HR7LcTlW3Ys1iQXypKPsFDAZKQ7ayTlH6BbvUoppbRw7Gtvai YeTz/C7b6EyWOJb5vG/OwU0EWtiuQAEQANkshc1daL2yM61xTA8dI0k/q3Cl7DmikSFEewwS 0+nzO2+G89NF4xhn3lFcZ8xhKRR5o+BBfZlazPbPAirHbaSFHh+Vr00QL1dnG0mlyTVbuAkD 6K21QvRrNUDgg2In4TkuXQCwt29VVHjFfDcVa3ax87E7r0ckWwzWmIHDFdBDDR8MkiDKSPGu wpN7lQz4U+6j0Mztzl10BWyC/U8YVJLclC0VDheyw19uvw5J0MtSbhZ7Mub/uFjgYrwRc+hq 5ncSHe8GXHd3Pk9u6VkiPyUbEp8c4rK+TUWb0IWbtJBhJ8WhyjsWiS+f2Gjz6Q+Yy8TT9Swx KO1yDj9YKzcxsADt2w4sjMJqkjCAErXsAg4uuXFGuEordNaC8Hh0VqXBV92wXQTI29OHxzIU cdl7SdmTnGSPeSjX4McQpbO84yCfEQ6N1yRa+DwJW86I/8A6eUhr0dO6Wo+zB19J/jV2xkdV yliw2DAvakovk0qcfs41yQM1uwbkiNEU4FsqyqEmnt06ccsOgEWpE1E70A6CqlOjxCS0imow GCBQ94S3WzK0bF1UP7xYAl/tEfM8GgZUaoj07avM++h9OeM2mh80NBi7ETH0HsYXatAEkVv1 QubnHZZYxDUk2OQsJlyRcN/gRff80YRfI+r7jlO+oLHl27TCFNsXnWyxxKdE4CoOQYqZABEB AAHCwWUEGAEIAA8FAlrYrkACGwwFCQlmAYAACgkQrgYhihiI5FSSaBAApwPWyDQTWslzlNCP NaTfdoT36wf78URv3LRuvx6DqQfATZ6CHapZn27iNRnLyPtqKyQhu4u2qFk3clS5orYgFbew vVyAOg7FKJJ/0NEofwFDbBhoRtms4VkdVgeVD9BbQAJ7TGbixuD19kmYBAhz3FIGd4SiJJ1P IqL8R712FD6pvK7x0BE3bfirGeFls6278bv4MB99Aji//jOU94ar54htatksE9nvq2DCvqfL +/gYDxjTpSusT7cavYoYRZX3smAx+XTwcYxjzDjxfjo/JFLKy6P57Ir/nn54ShbmC9WiOvtG dGW7zNw0Q//gbNdWYBom5j5Tpl5qcV3MYs0M2pr4hUZYVyJtj3vOEVQZJ79g51VzQSMSHhFl uil2RHffirR1yYhTo6gSlpJLps8bk+8lvzTbPzCVCXwRU8/ALc5zvBj0JoAwNQPeqDNROhGu E2/1H4niP9Ogx58CdmvDudDQ8GyUwYYMoeT1smwnEBUFv0a1JR9pZBIbmfsskJLY8qFomLaU d1KZm4EWLfchHMJF4411spHPkM2NioxWsoMSJwtQTPg0Q2R5hI4BT2RCSRLNe1zV7txupUPz wEW90UqJaTXi3gCr5UCc/FLRjTiKaC/DeggWr448q23qYUDnh1Mtg2pBq+Vd1kme+Bg2LPZk ynRXCjPIjKasxsn+kMg=
Content-language: fr-FR
In-reply-to: <20180918161109.GA28878@arxnet.hu>
Openpgp: preference=signencrypt
Organization: Worteks
References: <20180918161109.GA28878@arxnet.hu>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Thunderbird/52.9.1


Le 18/09/2018 à 18:11, Ervin Hegedüs a écrit :
> Hi, there is an interesting insufficient access problem...
>
> There are 3 (in dev environment 2) multimaster ldap node.
>
> There is a simple web frontend, written in PHP, where user can
> change its own password, or can get a link to set up a new pass
> if old one had lost.
>
> In some cases (some users) the user can't change the own password
> through PHP. When I change it from webserver with ldapmodify and
> a simple ldif file, it works as well.
>
> But when I try to modify the passwd through PHP, I got
> "Insufficient access" error, and these lines are in syslog:
>
>
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => access_allowed: search access to "uid=comp1_user1,ou=Users,ou=COMP1,dc=wificloud,dc=company,dc=hu" "objectClass" requested
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => dn: [2] ou=djp,dc=wificloud,dc=company,dc=hu
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => dnpat: [3] ou=(AH|Delta|Comp1|Comp2|Comp3),dc=wificloud,dc=company,dc=hu nsub: 1
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => acl_get: [3] matched
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => acl_get: [3] attr objectClass
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => match[dn0]: 26 60
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: o
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: u
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: =
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: o
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: m
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: p
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: 1
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: ,
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: d
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: =
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: w
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: i
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: f
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: i
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: l
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: o
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: u
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: d
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: ,
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: d
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: =
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: o
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: m
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: p
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: a
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: n
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: y
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: ,
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: d
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: =
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: h
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: u
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: 
>
> (I replaced names and chars, so the match[dn0] numbers are not
> correct).
>
>
> Only few users can trigger this problem (don't know why), and
> only through PHP.
>
>
> What's the problem here?

Hello,

I would say that the PHP application is sending some garbage to the
directory. What application are you using for password change, is it LTB
Self Service Password ?

-- 
Clément Oudot | Identity Solutions Manager

clement.oudot@worteks.com

Worteks | https://www.worteks.com

Follow-Ups:
- Re: Insufficient acces in some cases
  - From: Ervin Hegedüs <airween@gmail.com>

References:
- Insufficient acces in some cases
  - From: Ervin Hegedüs <airween@gmail.com>

Prev by Date: Insufficient acces in some cases
Next by Date: Re: Insufficient acces in some cases
Index(es):
- Chronological
- Thread