Re: Members of groups should be able to change user passwords. Can't find the error im mi Ldif file

Mon, 17 Jan 2022 09:10:17 -0800 

Thanks for your answer,


> Rather than a replace op, you can just delete and add ACL {0} directly,
> since you're not changing any of the other ACLs.
> 
So this means I can omit the entries for olcAccess: {1} and olcAccess: {2}?
And for olcAccess: {0} I would first create a delete operation and after that 
readd it again? Why is that better than I replace if I may ask?

>Is sys_allow_pw_change an actual LDAP group
>(groupofNames, groupOfUniqueNames, or groupOfMembers)

ObjectClass is posixGroup and members are saved in a memberUID field:

ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b 
cn=sys_allow_pw_change,ou=Groups,dc=ldap,dc=example,dc=com
dn: cn=sys_allow_pw_change,ou=Groups,dc=ldap,dc=example,dc=com
objectClass: posixGroup
objectClass: top
cn: sys_allow_pw_change
memberUid: svc_ldap
memberUid: cupcake
gidNumber: 23923




> Quanah Gibson-Mount <[email protected] mailto:[email protected] > hat am 
> 17.01.2022 17:21 geschrieben:
> 
> 
> --On Sunday, January 16, 2022 7:24 PM +0000 [email protected] 
> mailto:[email protected] wrote:
> 
> 
> 
> > So I've created pwchange.ldif with the help of this serverfault post
> > (https://serverfault.com/questions/1064914/q-what-is-the-correct-way-to-a
> > dd-olcaccess-rules-to-openldap):
> > 
> 
> The post misses important points about how to do ACLs.
> 
> 
> > dn: olcDatabase={1}mdb,cn=config
> > changetype: modify
> > replace: olcAccess
> > 
> 
> 
> Rather than a replace op, you can just delete and add ACL {0} directly,
> since you're not changing any of the other ACLs.
> 
> 
> 
> > olcAccess: {0}to attrs=userPassword
> > by self write
> > by dn="cn=admin,dc=ldap,dc=example,dc=com" manage
> > by
> > dn="[cn=sys_allow_pw_change,ou=Groups,dc=ldap,dc=example,dc=com]/memberUi
> > d & user/uid" write by anonymous auth
> > 
> 
> The above seems very wrong. Is sys_allow_pw_change an actual LDAP group
> (groupofNames, groupOfUniqueNames, or groupOfMembers)? If so, just
> standard group ACL format should work.
> 
> I.e., by dn.group="..." write
> 
> --Quanah
> 
> 
> --
> 
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>

Reply via email to