At 06:19 AM 12/22/2005, Amir Saad wrote: >i use openldap 2.3.11 , Heimdal Kerberos , Fedora 4 > >login authenticated through kerberos and i use ldap for user info (instead of >NIS) > >the problem is i cannot change password for any authenticated user using >GSSAPI even with rootdn >i tried to use -x and it worked only with the rootdn > >here is my ACL files: (manager is my rootdn) >************************************************************************************************************************* >access to dn.regex="uid=(.*),ou=People,dc=test,dc=domain,dc=mydomain,dc=org" >attrs=userPassword > by dn="cn=Manager,dc=test,dc=domain,dc=mydomain,dc=org" write > by self write > by * auth >access to dn.regex="uid=(.*),ou=People,dc=test,dc=domain,dc=mydomain,dc=org" > by * read >access to dn.regex="uid=(.*),ou=People,dc=test,dc=domain,dc=mydomain,dc=org" > by self write > by * read >************************************************************************************************************************* > >and here is the error: >************************************************************************************************************************** >ldappasswd -Y GSSAPI -S >"uid=sonne,ou=People,dc=test,dc=domain,dc=mydomain,dc=org " >New password: >Re-enter new password: >SASL/GSSAPI authentication started >SASL username: [EMAIL PROTECTED] >SASL SSF: 56 >SASL installing layers >Result: Insufficient access (50) >***************************************************************************** > >i hope you can help! >thanks alot >Amir Saad >Software Engineer
You seem to making an assumption that the user's authzDN is "uid=sonne,ou=People,dc=test,dc=domain,dc=mydomain,dc=org " that is likely false. You should use ldapwhoami(1) to determine what authzDN is associated with the user and, if then, use slapd.conf(5)'s authz-regexp directive to do appropriate identity mapping so that 'self' works as desired.
