--On Thursday, August 16, 2007 6:25 PM -0500 Adam Williams awilliam@mdah.state.ms.us wrote:
Quanah Gibson-Mount wrote:
Well, in your above example here, ADAM binds as TESTUSER not as ADAM, and so is able to change TESTUSERs password. I see no problem with your ACLs, only your test. I.e., all you have proven is that testuser can change their own password.
The correct test would be to do:
ldapmodify -D "uid=adam,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxx -x -v -f changepasswd.ldif
Yes, I think you are right, I don't have a configuration error, just a logic problem in my head. I was just seeing if I could change testuser's password with the same password testuser is already using. And adam and testuser have the same password, which would make the ldapmodify command succeed whether adam or testuser ran it. I'll try tomorrow with a different password in changepasswd.ldif and see what happens. Thanks!
Um, you still missed my point.
The point here is, you become user "adam" to UNIX, but when you talk to the ldap server, you talk to it as user "testuser". You need to talk to the ldap server as "adam" for your test to be valid. As long as you use "testuser" as your bind dn to the LDAP server, it will always be able to change its own password.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration