--On Thursday, August 16, 2007 12:19 PM -0500 Adam Williams awilliam@mdah.state.ms.us wrote:
I'm reading through Chapter 6 of the Openldap Software 2.3 Admninistrator's Guide, but I'm a little confused on access permissions. I think my access permissions are wrong.
I have 2 users loaded in openldap, adam and testuser. in slapd.conf I have:
access to attrs=userPassword by self write by anonymous auth by dn.base="cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" write by * none access to * by self write by dn.base="cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" write by * read
but adam can change testuser's password, and I want it so that a user can only change their password and not someone else's:
[root@gomer ~]# su -l adam [adam@gomer ~]$ ldapmodify -D "uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxx -x -v -f changepasswd.ldif ldap_initialize( <DEFAULT> ) replace userPassword: {CRYPT}xxxxxxxxxxxx modifying entry "uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" modify complete
Well, in your above example here, ADAM binds as TESTUSER not as ADAM, and so is able to change TESTUSERs password. I see no problem with your ACLs, only your test. I.e., all you have proven is that testuser can change their own password.
The correct test would be to do:
ldapmodify -D "uid=adam,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxx -x -v -f changepasswd.ldif
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration