I'm reading through Chapter 6 of the Openldap Software 2.3 Admninistrator's Guide, but I'm a little confused on access permissions. I think my access permissions are wrong.
I have 2 users loaded in openldap, adam and testuser. in slapd.conf I have:
access to attrs=userPassword by self write by anonymous auth by dn.base="cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" write by * none access to * by self write by dn.base="cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" write by * read
but adam can change testuser's password, and I want it so that a user can only change their password and not someone else's:
[root@gomer ~]# su -l adam [adam@gomer ~]$ ldapmodify -D "uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxx -x -v -f changepasswd.ldif ldap_initialize( <DEFAULT> ) replace userPassword: {CRYPT}xxxxxxxxxxxx modifying entry "uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" modify complete
[root@gomer ~]# cat ~adam/changepasswd.ldif dn: uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us changetype: modify userPassword: {CRYPT}xxxxxxxxxxx
And adam and testuser are different users:
[root@gomer ~]# ldapsearch -D 'cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us' -b "uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxx -x # extended LDIF # # LDAPv3 # base <uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# testuser, People, gomer.mdah.state.ms.us dn: uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us uid: testuser cn: test user telephoneNumber: xxxxxxx roomNumber: IS homePhone: xxxxxxxx givenName: test sn: user mail: testuser@dc=mdah,dc=state,dc=ms,dc=us objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 13705 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 501 gidNumber: 101 homeDirectory: /home/testuser gecos: test user,IS,xxxxxxx,xxxxxxxxx userPassword:: xxxxxxxxxxxxx
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 [root@gomer ~]# ldapsearch -D 'cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us' -b "uid=adam,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxxx -x # extended LDIF # # LDAPv3 # base <uid=adam,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# adam, People, gomer.mdah.state.ms.us dn: uid=adam,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us uid: adam cn: adam williams telephoneNumber: xxxxxxxxxxxxx roomNumber: IS homePhone: xxxxxxxxxxx givenName: adam sn: williams objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: xxxxxxxxxxxxxxxxx shadowLastChange: 13705 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 500 gidNumber: 100 homeDirectory: /home/adam gecos: adam williams,IS,xxxxxxx,xxxxxxx mail: awilliam@mdah.state.ms.us
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1