Hello, all.
I have an instance of OpenLDAP in which I use groups to manage access
controls, similar to the way the FAQ and admin guide describe it.
My DIT layout:
uid=userildr1,ou=people,o=gdAA,dc=example,dc=com
uid=userildr2,ou=people,o=gdAA,dc=example,dc=com
...
cn=readINT,ou=groups,o=gdAA,dc=example,dc=com
cn=writeINT,ou=groups,o=gdAA,dc=example,dc=com
cn=superadmin,ou=groups,o=gdAA,dc=example,dc=com
...
ou=people,o=INT,dc=example,dc=com
...
ou=groups,o=INT,dc=example,dc=com
Outside of the DIT, my slapd.conf file (yes, I know) contains:
access to dn.sub="o=INT,dc=example,dc=com"
by self write
by group/groupOfUniqueNames/uniqueMember="cn=superadmin,ou=groups,o=gdAA,dc=example,dc=com" write
by group/groupOfUniqueNames/uniqueMember="cn=writeINT,ou=groups,o=gdAA,dc=example,dc=com" write
by group/groupOfUniqueNames/uniqueMember="cn=readINT,ou=groups,o=gdAA,dc=example,dc=com" read
The uid=userildr1,ou=people,o=gdAA,dc=example,dc=com entry is in the readINT
group yet seems unable to run a search. I get an error 50 ("Operations are
restricted to bind/unbind/abandon/StartTLS/modify password") and cannot
figure out why this is happening. If anyone can tell me what's going on,
I would appreciate it.
I'm seeing "config_back_db_open: line 0: warning: cannot assess the validity of
the ACL scope within backend naming context" in the log files but this looks
harmless.
This is OpenLDAP 2.5.14 running on RHEL 8, with the LTB packages.
Logs and the configuration file are available if necessary.
Hello Emmanuel,
the error "Operations are restricted to
bind/unbind/abandon/StartTLS/modify password" means the account
has the pwdReset flag set to TRUE and must reset its password. It
is linked to password policy.
-- Clément Oudot | Identity Solutions Manager clement.oudot@worteks.com Worteks | https://www.worteks.com