On 11/1/05, Samuel Tran <[EMAIL PROTECTED]> wrote:
> > But there's a weird problem, the "userPassword" of entries in
> > ou=People,dc=([^,]+),dc=com, either using my slapd admin account or
> > entries in ou=Admin,dc=$2,dc=com was invaild. I could successfully add
> > the "userPassword", but when I used the "Password" to auth (say,
> > ldapsearch), "ldap_bind: Invalid credentials (49)" showed up.
> >
> > All the entries not in ou=People,dc=([^,]+),dc=com can auth well. I
> > added a new rule and put it before "access to attrs=userPassword"
> > (slapd.conf default ACL):
> > access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$" attrs=userPassword
> >
> > Still the same :(
>
> Please could you post all your ACL rules?
>
> Try to add this rule before the other rule:
>
> access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$"
> attrs=userPassword
> by dn.one,expand="ou=Admin,dc=$2,dc=com" write
> by self write
> by anonymous auth
>
> This will allow:
> - the admins to modify userPassword
> - the users to modify their own userPassword
> - anonymous to authenticate
>
> --
> Sam
Sorry for the inconvenient :)
My original ACL ("cn=admin,dc=com" is my slapd db admin account):
=========================snip1=========================
access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$" attrs=userPassword
by dn="cn=admin,ou=vd" write
by dn.one,expand="ou=Admin,dc=$2,dc=com" write
by self write
by anonymous auth
access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$"
by dn="cn=admin,ou=vd" write
by dn.one,expand="ou=Admin,dc=$2,dc=com" write
by self write
by anonymous auth
access to attrs=userPassword
by dn="cn=admin,dc=com" write
by anonymous auth
by self write
by * none
access to *
by dn="cn=admin,dc=com" write
by * none
=========================snip1=========================
But it still had the same problem, I could add or modify
"userPassword" attribute to entries in ou=People,dc=([^,]+),dc=com,
when auth it showed "Invalid credentials", just like typed wrong
password.
And I changed my ACL to:
=========================snip2=========================
access to dn.regex="ou=People,dc=([^,]+),dc=com"
by dn="cn=admin,ou=vd" write
by dn.regex,expand="ou=Admin,dc=$1,dc=com" write
by self write
by anonymous auth
access to attrs=userPassword
by dn="cn=admin,dc=com" write
by anonymous auth
by self write
by * none
access to *
by dn="cn=admin,dc=com" write
by * none
=========================snip2=========================
It seems that things are looking good now.
Thanks for your help, I really appreciated that :)
--
Thanks~
