At 06:33 PM 7/26/2005, Quanah Gibson-Mount wrote:
>--On Tuesday, July 26, 2005 3:09 PM +0200 Pierangelo Masarati <[EMAIL >PROTECTED]> wrote: > >> >>>Hello, I am having some problems with users being able to change their >>>own passwords on the LDAP server. The result comes back with >>>"implementation specific error 80" so I assume this means I setup >>>something incorrectly, but I don't know what. Below is the error, below >>>that is the security section of my slapd.conf file. >>> >>>ldappasswd -xSWD "uid=kris,ou=people,dc=xxxxxxxx,dc=com" >>>New password: >>>Re-enter new password: >>>Enter LDAP Password: >>>Result: Internal (implementation specific) error (80) >>>Additional info: entry modify failed >> >>"80" means that something so weird happened that there's no standard code >>to indicate it. As such, it might be useful to see what's going on on the >>server side, starting from: version, slapd.conf and logs when the problem >>occurs. >> >>> >>>-- >>><slapd.conf security section> >>> >>>access to * >>> by * read >>>access to attrs=userPassword >>> by self write >>> by * auth >> >>This looks correct. > >Actually, I have a question about this. Since access to * by * read comes >first, won't the second ACL never be evaluated? My understanding of OpenLDAP >ACL's is they stop at the first matching ACL that gives any sort of access >(unless there is a by * break in there). And besides, isn't this ACL >particularly insecure, in that it would allow anyone to read anyone elses >password? I would expect that these two ACL's should be reversed. The second access statement is ignored as the first catches all targets. >--Quanah > > >-- >Quanah Gibson-Mount >Principal Software Developer >ITSS/Shared Services >Stanford University >GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html > >"These censorship operations against schools and libraries are stronger >than ever in the present religio-political climate. They often focus on >fantasy and sf books, which foster that deadly enemy to bigotry and blind >faith, the imagination." -- Ursula K. Le Guin
