RE: Issue while changing user password by self

[Borresen, John - 0444 - MITLL]

Hello,

 

My users are allowed to modify their own passwords.  My ACL is set like
this:

 

olcAccess:           {0} to attrs=userPassword,shadowLastChange by self
write by anonymous auth by dn.exact="cn=admin,dc=group,dc=ldap" write by *
none

olcAccess:           {1} to * by * read

 

Though not the perfect configuration but it works.   In yours, I don't see
the userPassword attribute.

 

 

 

John D. Borresen (Dave)

Email:  <mailto:john.borre...@ll.mit.edu> john.borre...@ll.mit.edu

 

From: openldap-technical [mailto:openldap-technical-boun...@openldap.org] On
Behalf Of Rajagopal Rc
Sent: Wednesday, December 23, 2015 2:04 AM
To: openldap-technical@openldap.org
Subject: Issue while changing user password by self

 

Hello, 

I am trying to allow users to change their own passwords 

        OS                        RHEL7 
        Openldap version         2.4.39-7.el7_1.x86_64 

ACL in slapd.conf 
        
        disallow bind_anon 

access to attrs=userPassword 
       by self write 
       by dn.base="cn=mirrormode,dc=rnd,dc=com" read 
       by dn.base="cn=binduser,dc=rnd,dc=com" read 
       by * auth 


access to * 
       by dn.base="cn=mirrormode,dc=rnd,dc=com" read 
       by dn.base="cn=binduser,dc=rnd,dc=com" read 
       by * break 

access to * 
       by dn="cn=Manager,dc=rnd,dc=com" 
       by users read 
       by self write 
       by * auth 

from client machine 'user5' is trying to change own password and getting
following error 

$ ldappasswd -H ldaps://ldapdev.rnd.com:636 -x -D "cn=user
5,ou=people,dc=rnd,dc=com" -W -A  -S 
Old password: 
Re-enter old password: 
New password: 
Re-enter new password: 
Enter LDAP Password: 
Result: Insufficient access (50) 
Additional info: User alteration of password is not allowed 

This error looks like issue with permissions, yet i have already allowed
access to attrs=userPassword by self write in slapd.conf, please let me know
if there is any thing wrong in above ACL and why i am getting this error 

Thanks & Regards 
Raj

=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you

smime.p7s
Description: S/MIME cryptographic signature