Hello,

I've changed my acl like this: access to attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange         by dn="cn=nssldap,ou=DSA,dc=moldex,dc=group" write         by anonymous auth         by self write

access to *         by self write         by * read

and still get. => access_allowed: read access to "uid=techsupport,ou=Users,dc=moldex,dc=group" "userPassword" requested => acl_get: [1] attr userPassword => slap_access_allowed: result not in cache (userPassword) => acl_mask: access to entry "uid=techsupport,ou=Users,dc=moldex,dc=group", attr "userPassword" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: cn=nssldap,ou=dsa,dc=moldex,dc=group <= check a_dn_pat: self <= check a_dn_pat: anonymous <= acl_mask: [3] applying auth(=xd) (stop) <= acl_mask: [3] mask: auth(=xd) => slap_access_allowed: read access denied by auth(=xd) => access_allowed: no more rules

this only happend if smbk5pwd is enabled. My pam_ldap config looks like this: base dc=moldex,dc=group uri ldap://127.0.0.1 ldap_version 3 rootdn cn=nssldap,ou=dsa,dc=moldex,dc=group referrals yes timelimit 30 bind_timelimit 30 bind_policy hard nss_reconnect_tries 1 nss_reconnect_sleeptime 1 nss_reconnect_maxsleeptime 2 nss_reconnect_maxconntries 1 nss_base_passwd ou=Users,dc=moldex,dc=group?one nss_base_passwd ou=Computers,dc=moldex,dc=group?one nss_base_shadow ou=Users,dc=moldex,dc=group?one nss_base_group  ou=Groups,dc=moldex,dc=group?one nss_initgroups_ignoreusers backup,bin,daemon,dhcp,games,gnats,irc,klog,libuuid,list,lp,mail,man,news,openldap,proxy,root,sshd,sync,sys,syslog,uucp,www-data

ssl off pam_lookup_policy yes pam_password exop

Thanks, greek

--- On Sat, 7/26/08, Dieter Kluenter dieter@dkluenter.de wrote: From: Dieter Kluenter dieter@dkluenter.de Subject: Re: ppolicy pwdReset To: openldap-software@openldap.org Date: Saturday, July 26, 2008, 5:28 PM

greek ordono grexk@yahoo.com writes:

I'm getting this error:

=> access_allowed: read access to

"uid=techsupport,ou=Users,dc=moldex,dc=group" "userPassword" requested

=> acl_get: [1] attr userPassword

=> slap_access_allowed: result not in cache (userPassword)

=> acl_mask: access to entry

"uid=techsupport,ou=Users,dc=moldex,dc=group", attr "userPassword" requested

=> acl_mask: to value by "", (=0)

<= check a_dn_pat: cn=replicator,ou=dsa,dc=moldex,dc=group

<= check a_dn_pat: *

<= acl_mask: [2] applying +0 (break)

<= acl_mask: [2] mask: =0

=> acl_get: [2] attr userPassword

=> slap_access_allowed: result not in cache (userPassword)

=> acl_mask: access to entry

"uid=techsupport,ou=Users,dc=moldex,dc=group", attr "userPassword" requested

=> acl_mask: to value by "", (=0)

<= check a_dn_pat: cn=samba,ou=dsa,dc=moldex,dc=group

<= check a_dn_pat: cn=nssldap,ou=dsa,dc=moldex,dc=group

<= check a_dn_pat: cn=squid,ou=dsa,dc=moldex,dc=group

<= check a_dn_pat: self

<= check a_dn_pat: anonymous

<= acl_mask: [5] applying auth(=xd) (stop)

<= acl_mask: [5] mask: auth(=xd)

=> slap_access_allowed: read access denied by auth(=xd)

=> access_allowed: no more rules

send_search_entry: conn 9 access to attribute userPassword, value #0 not

allowed

For this search your rule no. 5 is applicable, and this rule disallows read access to attribute userPassword. Change your access rules accordingly.

-Dieter