[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Insufficient acces in some cases



Hi,

On Tue, Sep 18, 2018 at 11:21:07PM +0200, Clément OUDOT wrote:
> 
> No, the olcAccess {3} deny all access inside dc=bigcompany,dc=hu, the
> rule {4} is never evaluated.

yep,
 
> > And as I wrote in first mail, the simple "ldapmodify" works as
> > well.
> 
> Do you test to modify only userPassword attribute? Or your modification
> is also on Samba attributes?

SMB attributes modification was denied when I tested today.
 
> > And more important, the other users under the same OU can change
> > their own userpassword/nt/lm password attributes through PHP.
> 
> I don't how, because your ACL allow only userPassword modification for
> 'self'.

so, you're right, Clément, and thanks for the clarification.

Our end customers desinformed me - today become clear that nobody
can modify their passwords (userPassword, NT/LM passwd) through
the webservice.

I've modified ACL rules, now it works as well - thanks again.

Anyway, it's very interesting, how and why slapd logs that
lines... they also misleaded me.


Thanks,


a.