I'm reading through Chapter 6 of the Openldap Software 2.3 Admninistrator's Guide, but I'm a little confused on access permissions. I think my access permissions are wrong.
I have 2 users loaded in openldap, adam and testuser. in slapd.conf I have:
access to attrs=userPassword by self write by anonymous auth by dn.base="cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" write by * none access to * by self write by dn.base="cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" write by * read
but adam can change testuser's password, and I want it so that a user can only change their password and not someone else's:
[root@gomer ~]# su -l adam [adam@gomer ~]$ ldapmodify -D "uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxx -x -v -f changepasswd.ldif ldap_initialize( <DEFAULT> ) replace userPassword: {CRYPT}xxxxxxxxxxxx modifying entry "uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" modify complete
[root@gomer ~]# cat ~adam/changepasswd.ldif dn: uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us changetype: modify userPassword: {CRYPT}xxxxxxxxxxx
And adam and testuser are different users:
[root@gomer ~]# ldapsearch -D 'cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us' -b "uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxx -x # extended LDIF # # LDAPv3 # base <uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# testuser, People, gomer.mdah.state.ms.us dn: uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us uid: testuser cn: test user telephoneNumber: xxxxxxx roomNumber: IS homePhone: xxxxxxxx givenName: test sn: user mail: testuser@dc=mdah,dc=state,dc=ms,dc=us objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 13705 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 501 gidNumber: 101 homeDirectory: /home/testuser gecos: test user,IS,xxxxxxx,xxxxxxxxx userPassword:: xxxxxxxxxxxxx
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 [root@gomer ~]# ldapsearch -D 'cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us' -b "uid=adam,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxxx -x # extended LDIF # # LDAPv3 # base <uid=adam,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# adam, People, gomer.mdah.state.ms.us dn: uid=adam,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us uid: adam cn: adam williams telephoneNumber: xxxxxxxxxxxxx roomNumber: IS homePhone: xxxxxxxxxxx givenName: adam sn: williams objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword:: xxxxxxxxxxxxxxxxx shadowLastChange: 13705 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 500 gidNumber: 100 homeDirectory: /home/adam gecos: adam williams,IS,xxxxxxx,xxxxxxx mail: awilliam@mdah.state.ms.us
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
--On Thursday, August 16, 2007 12:19 PM -0500 Adam Williams awilliam@mdah.state.ms.us wrote:
I'm reading through Chapter 6 of the Openldap Software 2.3 Admninistrator's Guide, but I'm a little confused on access permissions. I think my access permissions are wrong.
I have 2 users loaded in openldap, adam and testuser. in slapd.conf I have:
access to attrs=userPassword by self write by anonymous auth by dn.base="cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" write by * none access to * by self write by dn.base="cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" write by * read
but adam can change testuser's password, and I want it so that a user can only change their password and not someone else's:
[root@gomer ~]# su -l adam [adam@gomer ~]$ ldapmodify -D "uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxx -x -v -f changepasswd.ldif ldap_initialize( <DEFAULT> ) replace userPassword: {CRYPT}xxxxxxxxxxxx modifying entry "uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" modify complete
Well, in your above example here, ADAM binds as TESTUSER not as ADAM, and so is able to change TESTUSERs password. I see no problem with your ACLs, only your test. I.e., all you have proven is that testuser can change their own password.
The correct test would be to do:
ldapmodify -D "uid=adam,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxx -x -v -f changepasswd.ldif
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Quanah Gibson-Mount wrote:
Well, in your above example here, ADAM binds as TESTUSER not as ADAM, and so is able to change TESTUSERs password. I see no problem with your ACLs, only your test. I.e., all you have proven is that testuser can change their own password.
The correct test would be to do:
ldapmodify -D "uid=adam,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxx -x -v -f changepasswd.ldif
Yes, I think you are right, I don't have a configuration error, just a logic problem in my head. I was just seeing if I could change testuser's password with the same password testuser is already using. And adam and testuser have the same password, which would make the ldapmodify command succeed whether adam or testuser ran it. I'll try tomorrow with a different password in changepasswd.ldif and see what happens. Thanks!
--On Thursday, August 16, 2007 6:25 PM -0500 Adam Williams awilliam@mdah.state.ms.us wrote:
Quanah Gibson-Mount wrote:
Well, in your above example here, ADAM binds as TESTUSER not as ADAM, and so is able to change TESTUSERs password. I see no problem with your ACLs, only your test. I.e., all you have proven is that testuser can change their own password.
The correct test would be to do:
ldapmodify -D "uid=adam,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxx -x -v -f changepasswd.ldif
Yes, I think you are right, I don't have a configuration error, just a logic problem in my head. I was just seeing if I could change testuser's password with the same password testuser is already using. And adam and testuser have the same password, which would make the ldapmodify command succeed whether adam or testuser ran it. I'll try tomorrow with a different password in changepasswd.ldif and see what happens. Thanks!
Um, you still missed my point.
The point here is, you become user "adam" to UNIX, but when you talk to the ldap server, you talk to it as user "testuser". You need to talk to the ldap server as "adam" for your test to be valid. As long as you use "testuser" as your bind dn to the LDAP server, it will always be able to change its own password.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-software@openldap.org
-
Adam Williams -
Quanah Gibson-Mount