Thanks for your feedback, much appreciated!
I'll try to change my groups to groupOfnames, Couldn't get it to work right now
and it's already late here.
If changed my Ldif file for my desired change to the following:
dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
olcAccess: {0}
-
add: olcAccess
olcAccess: {0}to attrs=userPassword
by self write
by dn="cn=admin,dc=ldap,dc=example,dc=com" manage
by anonymous auth
by * none
And this works fine:
ldapmodify -H ldapi:// -Y EXTERNAL -f pwchange.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"
However when adding the line from I got from server fault
(dn="[cn=sys_allow_pw_change,ou=Groups,dc=ldap,dc=example,dc=com]/memberUi)
if fails:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}mdb,cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)
additional info: <olcAccess> handler exited with 1
But this should be resolved, as soon as I've switched everything to LDAP groups.
Could you please confirm that this guide is correct for enabling the
groupOfNames? https://kifarunix.com/how-to-create-openldap-member-groups/ Thank
you very much!
> Quanah Gibson-Mount <[email protected]> hat am 17.01.2022 18:06 geschrieben:
>
>
> --On Monday, January 17, 2022 5:52 PM +0100 [email protected] wrote:
>
> >
> > Thanks for your answer,
> >
> >
> >
> > Rather than a replace op, you can just delete and add ACL {0} directly,
> > since you're not changing any of the other ACLs.
> >
> >
> > So this means I can omit the entries for olcAccess: {1} and olcAccess:
> > {2}?
> > And for olcAccess: {0} I would first create a delete operation and after
> > that readd it again? Why is that better than I replace if I may ask?
>
> Yes, you can use the weight in a delete op, like
>
> ldapmodify ...
> dn: ...
> delete: olcAccess
> olcAccess: {0}
> -
> add: olcAccess
> olcAccess: {0}access to ...
>
> I would say it's better than replace for a few reasons. The largest being
> less likely of end user error (typos, etc).
>
> You can also do the same sort of thing to insert ACLs, like
>
> ldapmodify ...
> dn: ....
> add: olcAccess
> olcAccess: {1}access to ...
>
> Would put a new ACL at {1} and increment all subsequent ACLs to preserve
> order.
>
> >> Is sys_allow_pw_change an actual LDAP group
> >> (groupofNames, groupOfUniqueNames, or groupOfMembers)
> >
> >
> > ObjectClass is posixGroup and members are saved in a memberUID field:
>
> Generally I'd advise using LDAP groups not *nix posixgroups for managing
> LDAP access.
>
> I would also note that "memberUID" can be problematic if you end up with
> multiple entries with the same UID, an issue that DN based LDAP groups
> cannot encounter.
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
