I'd like to let my account managers to clear the passwords of their managees in the event that an employee is no longer active. So, I've got an ACL like this:
access to attrs=userPassword,sambaNTPassword
by set="this/manager & user" write
by * break
But I realized that the ACL also allows the manager to -change- a user's password, which I don't really want.
Is there some ACL that I can grant that would let a manager remove an attribute from another user's account, but not otherwise change the value of that attribute?
Baskin School of Engineering
UC Santa Cruz
I have a running openldap server on ubuntu and as a client my localcomputer on Fedora. I have mounted /home directory from my client. Everything works fine so far but client can't solve user names but just Id numbers and I can't login with openldap users from my client computer. I can use ldapsearch and so on without any problem but somehow only users can' be resolved. Do you have any idea what could be the problem? Or do you need more information like smb.conf
Thanks in advance
Murat Can Tuna
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
On Wednesday, 30 June 2010 20:15:50 Licause, Al wrote:
> I have been attempting to use the ppolicy overlay on an openldap server
> running on a Red Hat V5.4 platform with the following components:
> I was unable to get the users password to expire by simply setting a value
> for pwdMaxAge without the use of the pwdReset parameter.
> I finally turned on all debugging in the slapd.conf file (value -1) and
> noticed that the value of pwdGraceAuthNLimit in the default policy, was
> set to 3, which allowed the ldap user access without changing the
Of course, after the grace authentications, binds would fail.
> The disturbing thing about this was the fact that the user is not notifed
> that their password has expired. I would have thought that if the intent
> was to allow an expired password, then the user should be notified of not
> only the fact that their password has expired but how many more grace
> logins they would be allowed before either having to change the password
> or having the account disabled.
This is most likely as result of PAM misconfiguration. You didn't specify how
you were testing.
However, with almost identical software, my environment works correctly.
Please include your full client-side configuration when posting to openldap-
technical (e.g. all PAM files included by the service with which you were
Note that the openldap-bugs list is for tracking bugs logged on the ITS bug
tracker. Questions should be posted to the openldap-technical list.
I have noticed a problem regarding ExOp PASSMOD and chaining in my
OpenLDAP environment. Maybe some of the other overlays are doing their
part in this as well.
Password changes stopped behaving weird at some point and after some
experimenting, I have the following picture: When a slave runs for a few
days and some user tries to change his password, the change is done in
the local database only (no chaining done or referral returned),
resulting in an inconsistent database between the slave and all the
other servers. That way, logging in to services which connect to the
LDAP servers in a round-robin fashion sometimes works with the "new"
password and sometimes with the old one. After I restart the slapd on
the slaves, everything works again for a few days, before it goes bad again.
Every other write gets chained just fine when a slave is in this
condition. It's only the PASSMOD operations that are stuck.
I have one master and four slaves running on Solaris 10. One of them
SPARC, the others x86.
Software Versions are:
Cyrus SASL 2.1.23
Heimdal Kerberos 1.3.3
All the configs and the sourcecode of my self-made pwdCheckModule for
ppolicy can be found here:
Has someone experienced this before and knows how to fix this? Maybe
something wrong with my ppolicy stuff?
Just joined this list, so please pardon me for any mistakes.
I have been trying to add "CourierMailAccount" object class and "qmailUser"
object class for days without success. I created a schema file and defined
the Attributetypes and Object classes and added the file in the Include
statement in slapd.conf but SLAPD does not seem to recognize the new object
When I try to add users to the Database using LDAPADD, I get the error
"ldap_add: Invalid syntax (21)
additional info: objectClass:value #2 invalid per syntax"
The #2 objectClass is "qmailuser".
Suggestions and advice will be appreciated.
I have one program which can authenticate with LDAP server and Active Directory with read access.
I need to authenticate extra users, but I can't add them to Active Directory for security reasons. Program can work with only one LDAP source.
I have tryed to use openldap chain overlay to join local and remote LDAP databases with refferals. Search works fine, but bind operation doesn't work, openldap writes error:
<= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30989)
Is it possible to bind to remote LDAP records with chain overlay?
chain-chaining resolve=chainingRequired continuation=chainingRequired
Could you recommend another solution?