I'll appreciate it if any of you are willing to take time and share with me your experience with OpenLDAP running on a RedHat server configured with group ACL.
I'm trying to grant a group of people (including myself) the permission to change user LDAP passwords. However, when I try to change a user's LDAP password, I received the following message:
Result: Insufficient access (50)
The command that I used was:
ldappasswd -x -W -D "uid=l_luke,ou=Netgroup,dc=mydomain,dc=com" -S "uid=w_smith,ou=People,dc=mydomain,dc=com"
My ACL settings in the slapd.conf file are:
access to attr=userPassword
by self write
by anonymous auth
by group.exact="cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com" write
by * none
access to *
by self write
by group.exact="cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com" write
by * read
My netgroup has been defined as the following:
dn: cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com
objectClass: nisNetgroup
objectClass: top
cn: ITgroup
nisNetgroupTriple: (,l_luke,mydomain.com)
nisNetgroupTriple: (,w_smith,mydomain.com)
nisNetgroupTriple: (,g_baker,mydomain.com)
description: Password Keepers
My user entry is:
# l_luke, People mydomain.com
dn: uid=l_luke,ou=People,dc=mydomain,dc=com
uid: l_luke
cn: l_luke
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 13958
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10005
gidNumber: 10005
homeDirectory: /home/l_luke
gecos: Luke Lee
Can anyone point me to the right direction or share with me the correct group ACL settings that you have? Thanks!