darkxer0x writes:
Thank you very much. But, I have another problem, what is the ACL to permit "seff" to change dn?
"man slapd.access" says:
The modrdn operation requires write (=w) privileges on the pseudo-attribute entry of the entry whose relative DN is being modified, write (=w) privileges on the pseudo-attribute children of the old and new entry's parents, and write (=w) privileges on the attributes that are present in the new relative DN. Write (=w) privileges are also required on the attributes that are present in the old relative DN if deleteoldrdn is set to 1.
Thus you'll need something like
# hide passwords, but allow users to update their own access to attrs=userPassword by self =wx by * auth # allow users to add/delete/move entries directly below dc=dominio access to dn="dc=dominio" attrs=children by dn.onelevel="dc=dominio" write # allow users to write their own entries and everyone to read # everything else access to * by self write by * read
I''ve tried in slapd.conf: access to dn.base="" by self write
This tries to grant access to the single entry with DN "", which is not a user entry but a special entry that describes the LDAP server. Also it doesn't grant any access to anyone but 'self'.
Maybe you meant access to * by self write by * read or something like access to dn.subtree=<some DN> by self write by * read
This doesn't work
It would help if you said which error message you receive (where slapd tries to _tell_ you why it failed), but here is a guess:
I've read some howto about ldapmodrdn and all of them say: -D "Directory Manager",
Hopefully they don't, since that's not a valid DN. It would be something like -D "cn=Directory Manager,dc=dominio"
assuming your slapd.conf includes something like
database bdb suffix "dc=dominio" rootdn "cn=Directory Manager,dc=dominio" rootpw <some password, possibly encrypted with sbin/slappasswd>
A database's rootdn is a special DN you can bind as which has full access to the database regardless of access control, and which does not need to exist in the database - which is why you can specify its password in slapd.conf instead.
openldap-software@openldap.org