Le 04/10/2023 à 14:46, Emmanuel Seyman a écrit :
Hello, all.
I have an instance of OpenLDAP in which I use groups to manage access controls, similar to the way the FAQ and admin guide describe it.
My DIT layout:
uid=userildr1,ou=people,o=gdAA,dc=example,dc=com uid=userildr2,ou=people,o=gdAA,dc=example,dc=com ... cn=readINT,ou=groups,o=gdAA,dc=example,dc=com cn=writeINT,ou=groups,o=gdAA,dc=example,dc=com cn=superadmin,ou=groups,o=gdAA,dc=example,dc=com ... ou=people,o=INT,dc=example,dc=com ... ou=groups,o=INT,dc=example,dc=com
Outside of the DIT, my slapd.conf file (yes, I know) contains:
access to dn.sub="o=INT,dc=example,dc=com" by self write by group/groupOfUniqueNames/uniqueMember="cn=superadmin,ou=groups,o=gdAA,dc=example,dc=com" write by group/groupOfUniqueNames/uniqueMember="cn=writeINT,ou=groups,o=gdAA,dc=example,dc=com" write by group/groupOfUniqueNames/uniqueMember="cn=readINT,ou=groups,o=gdAA,dc=example,dc=com" read
The uid=userildr1,ou=people,o=gdAA,dc=example,dc=com entry is in the readINT group yet seems unable to run a search. I get an error 50 ("Operations are restricted to bind/unbind/abandon/StartTLS/modify password") and cannot figure out why this is happening. If anyone can tell me what's going on, I would appreciate it.
I'm seeing "config_back_db_open: line 0: warning: cannot assess the validity of the ACL scope within backend naming context" in the log files but this looks harmless.
This is OpenLDAP 2.5.14 running on RHEL 8, with the LTB packages. Logs and the configuration file are available if necessary.
Hello Emmanuel,
the error "Operations are restricted to bind/unbind/abandon/StartTLS/modify password" means the account has the pwdReset flag set to TRUE and must reset its password. It is linked to password policy.