I'm reading through Chapter 6 of the Openldap Software 2.3
Admninistrator's Guide, but I'm a little confused on access
permissions. I think my access permissions are wrong.
I have 2 users loaded in openldap, adam and testuser. in slapd.conf I have:
access to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" write
by * none
access to *
by self write
by dn.base="cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" write
by * read
but adam can change testuser's password, and I want it so that a user
can only change their password and not someone else's:
[root@gomer ~]# su -l adam
[adam@gomer ~]$ ldapmodify -D
"uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxx
-x -v -f changepasswd.ldif
ldap_initialize( <DEFAULT> )
replace userPassword:
{CRYPT}xxxxxxxxxxxx
modifying entry
"uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us"
modify complete
[root@gomer ~]# cat ~adam/changepasswd.ldif
dn: uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us
changetype: modify
userPassword: {CRYPT}xxxxxxxxxxx
And adam and testuser are different users:
[root@gomer ~]# ldapsearch -D
'cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us' -b
"uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxx -x
# extended LDIF
#
# LDAPv3
# base <uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us>
with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# testuser, People, gomer.mdah.state.ms.us
dn: uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us
uid: testuser
cn: test user
telephoneNumber: xxxxxxx
roomNumber: IS
homePhone: xxxxxxxx
givenName: test
sn: user
mail: testuser@dc=mdah,dc=state,dc=ms,dc=us
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 13705
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 101
homeDirectory: /home/testuser
gecos: test user,IS,xxxxxxx,xxxxxxxxx
userPassword:: xxxxxxxxxxxxx
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
[root@gomer ~]# ldapsearch -D
'cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us' -b
"uid=adam,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxxx
-x # extended LDIF
#
# LDAPv3
# base <uid=adam,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us> with
scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# adam, People, gomer.mdah.state.ms.us
dn: uid=adam,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us
uid: adam
cn: adam williams
telephoneNumber: xxxxxxxxxxxxx
roomNumber: IS
homePhone: xxxxxxxxxxx
givenName: adam
sn: williams
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:: xxxxxxxxxxxxxxxxx
shadowLastChange: 13705
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 100
homeDirectory: /home/adam
gecos: adam williams,IS,xxxxxxx,xxxxxxx
mail: awilliam(a)mdah.state.ms.us
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1