Hello,
My users are allowed to modify their own passwords. My ACL is set like this:
olcAccess: {0} to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn.exact="cn=admin,dc=group,dc=ldap" write by * none
olcAccess: {1} to * by * read
Though not the perfect configuration but it works. In yours, I don't see the userPassword attribute.
John D. Borresen (Dave)
Email: mailto:john.borresen@ll.mit.edu john.borresen@ll.mit.edu
From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Rajagopal Rc Sent: Wednesday, December 23, 2015 2:04 AM To: openldap-technical@openldap.org Subject: Issue while changing user password by self
Hello,
I am trying to allow users to change their own passwords
OS RHEL7 Openldap version 2.4.39-7.el7_1.x86_64
ACL in slapd.conf
disallow bind_anon
access to attrs=userPassword by self write by dn.base="cn=mirrormode,dc=rnd,dc=com" read by dn.base="cn=binduser,dc=rnd,dc=com" read by * auth
access to * by dn.base="cn=mirrormode,dc=rnd,dc=com" read by dn.base="cn=binduser,dc=rnd,dc=com" read by * break
access to * by dn="cn=Manager,dc=rnd,dc=com" by users read by self write by * auth
from client machine 'user5' is trying to change own password and getting following error
$ ldappasswd -H ldaps://ldapdev.rnd.com:636 -x -D "cn=user 5,ou=people,dc=rnd,dc=com" -W -A -S Old password: Re-enter old password: New password: Re-enter new password: Enter LDAP Password: Result: Insufficient access (50) Additional info: User alteration of password is not allowed
This error looks like issue with permissions, yet i have already allowed access to attrs=userPassword by self write in slapd.conf, please let me know if there is any thing wrong in above ACL and why i am getting this error
Thanks & Regards Raj
=====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you