Am Wed, 22 Jan 2014 18:14:22 -0700 schrieb Joshua Schaeffer jschaeffer0922@gmail.com:
Just now getting back to this. I ran the daemon in debug mode, then ran the passwd utility on a different server for my uid (got the same results as before and then terminated the daemon) and it output a lot on the acl's. I attached the full log file. Below is the tail end of the log:
=================================================== 52e068f8 <= acl_mask: [3] mask: read(=rscxd) 52e068f8 => slap_access_allowed: read access granted by read(=rscxd) 52e068f8 => access_allowed: read access granted by read(=rscxd) 52e068f8 => access_allowed: result not in cache (userPassword) 52e068f8 => access_allowed: read access to "uid=jschaeffer,ou=People,dc=harmonywave,dc=com" "userPassword" requested 52e068f8 => acl_get: [1] attr userPassword 52e068f8 => acl_mask: access to entry "uid=jschaeffer,ou=People,dc=harmonywave,dc=com", attr "userPassword" requested 52e068f8 => acl_mask: to value by "", (=0) 52e068f8 <= check a_dn_pat: self 52e068f8 <= check a_dn_pat: anonymous 52e068f8 <= acl_mask: [2] applying auth(=xd) (stop) 52e068f8 <= acl_mask: [2] mask: auth(=xd) 52e068f8 => slap_access_allowed: read access denied by auth(=xd) 52e068f8 => access_allowed: no more rules 52e068f8 send_search_entry: conn 1000 access to attribute userPassword, value #0 not allowed 52e068fb => bdb_entry_get: found entry: "uid=jschaeffer,ou=people,dc=harmonywave,dc=com" 52e068fb => bdb_entry_get: found entry: "cn=default,ou=policies,dc=harmonywave,dc=com" 52e068fb => access_allowed: result not in cache (userPassword) 52e068fb => access_allowed: auth access to "uid=jschaeffer,ou=People,dc=harmonywave,dc=com" "userPassword" requested 52e068fb => acl_get: [1] attr userPassword 52e068fb => acl_mask: access to entry "uid=jschaeffer,ou=People,dc=harmonywave,dc=com", attr "userPassword" requested 52e068fb => acl_mask: to value by "", (=0) 52e068fb <= check a_dn_pat: self 52e068fb <= check a_dn_pat: anonymous 52e068fb <= acl_mask: [2] applying auth(=xd) (stop) 52e068fb <= acl_mask: [2] mask: auth(=xd) 52e068fb => slap_access_allowed: auth access granted by auth(=xd)
[...]
There is an anonymous trying to read a userPassword (and probably trying to modifying it afterwards). Acording to your access rules only auth permissions are granted to anonymous.
-Dieter