Hi,
Ok, I'll just read again that FAQ. Check this complete log of ppolicy with/without smbk5pwd overlay. Or maybe just another pam_ldap bug
1. change passwd before entering new password # passwd techsupport Enter login(LDAP) password:
smbk5pwd+ppolicy log: http://pastebin.com/m7dce205a ppolicy log: http://pastebin.com/m18f72eb6
2. enter new password New password: Re-enter new password: LDAP password information update failed: Insufficient access Operations are restricted to bind/unbind/abandon/StartTLS/modify password passwd: Permission denied passwd: password unchanged
smbk5pwd+ppolicy log: http://pastebin.com/m4f98884e ppolicy log: http://pastebin.com/m2fe93f63
If you look into step 1 anomymous is applied as well, without smbk5pwd and pwdReset update is successful. In step 2 there you can see the difference, if its acl problem can someone suggest a working acl(minimal) with smbk5pwd+ppolicy+pwdReset...
thanks grexk --- On Mon, 7/28/08, Dieter Kluenter dieter@dkluenter.de wrote: From: Dieter Kluenter dieter@dkluenter.de Subject: Re: ppolicy pwdReset To: openldap-software@openldap.org Date: Monday, July 28, 2008, 3:06 PM
greek ordono grexk@yahoo.com writes:
Hello,
I've changed my acl like this:
access to
attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange
by dn="cn=nssldap,ou=DSA,dc=moldex,dc=group" write
by anonymous auth
by self write
access to *
by self write
by * read
<= acl_mask: [3] applying auth(=xd) (stop)
<= acl_mask: [3] mask: auth(=xd)
=> slap_access_allowed: read access denied by auth(=xd)
=> access_allowed: no more rules
The answer is obvious, your rule "by anonymous auth" is applied. You should prabably read http://www.openldap.org/faq/data/cache/189.html in order to design access rules
-Dieter