Hello,
I've changed my acl like this: access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange by dn="cn=nssldap,ou=DSA,dc=moldex,dc=group" write by anonymous auth by self write
access to * by self write by * read
and still get. => access_allowed: read access to "uid=techsupport,ou=Users,dc=moldex,dc=group" "userPassword" requested => acl_get: [1] attr userPassword => slap_access_allowed: result not in cache (userPassword) => acl_mask: access to entry "uid=techsupport,ou=Users,dc=moldex,dc=group", attr "userPassword" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: cn=nssldap,ou=dsa,dc=moldex,dc=group <= check a_dn_pat: self <= check a_dn_pat: anonymous <= acl_mask: [3] applying auth(=xd) (stop) <= acl_mask: [3] mask: auth(=xd) => slap_access_allowed: read access denied by auth(=xd) => access_allowed: no more rules
this only happend if smbk5pwd is enabled. My pam_ldap config looks like this: base dc=moldex,dc=group uri ldap://127.0.0.1 ldap_version 3 rootdn cn=nssldap,ou=dsa,dc=moldex,dc=group referrals yes timelimit 30 bind_timelimit 30 bind_policy hard nss_reconnect_tries 1 nss_reconnect_sleeptime 1 nss_reconnect_maxsleeptime 2 nss_reconnect_maxconntries 1 nss_base_passwd ou=Users,dc=moldex,dc=group?one nss_base_passwd ou=Computers,dc=moldex,dc=group?one nss_base_shadow ou=Users,dc=moldex,dc=group?one nss_base_group ou=Groups,dc=moldex,dc=group?one nss_initgroups_ignoreusers backup,bin,daemon,dhcp,games,gnats,irc,klog,libuuid,list,lp,mail,man,news,openldap,proxy,root,sshd,sync,sys,syslog,uucp,www-data
ssl off pam_lookup_policy yes pam_password exop
Thanks, greek
--- On Sat, 7/26/08, Dieter Kluenter dieter@dkluenter.de wrote: From: Dieter Kluenter dieter@dkluenter.de Subject: Re: ppolicy pwdReset To: openldap-software@openldap.org Date: Saturday, July 26, 2008, 5:28 PM
greek ordono grexk@yahoo.com writes:
I'm getting this error:
=> access_allowed: read access to
"uid=techsupport,ou=Users,dc=moldex,dc=group" "userPassword" requested
=> acl_get: [1] attr userPassword
=> slap_access_allowed: result not in cache (userPassword)
=> acl_mask: access to entry
"uid=techsupport,ou=Users,dc=moldex,dc=group", attr "userPassword" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: cn=replicator,ou=dsa,dc=moldex,dc=group
<= check a_dn_pat: *
<= acl_mask: [2] applying +0 (break)
<= acl_mask: [2] mask: =0
=> acl_get: [2] attr userPassword
=> slap_access_allowed: result not in cache (userPassword)
=> acl_mask: access to entry
"uid=techsupport,ou=Users,dc=moldex,dc=group", attr "userPassword" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: cn=samba,ou=dsa,dc=moldex,dc=group
<= check a_dn_pat: cn=nssldap,ou=dsa,dc=moldex,dc=group
<= check a_dn_pat: cn=squid,ou=dsa,dc=moldex,dc=group
<= check a_dn_pat: self
<= check a_dn_pat: anonymous
<= acl_mask: [5] applying auth(=xd) (stop)
<= acl_mask: [5] mask: auth(=xd)
=> slap_access_allowed: read access denied by auth(=xd)
=> access_allowed: no more rules
send_search_entry: conn 9 access to attribute userPassword, value #0 not
allowed
For this search your rule no. 5 is applicable, and this rule disallows read access to attribute userPassword. Change your access rules accordingly.
-Dieter