Scott Classen sclassen@lbl.gov schrieb am 02.10.2020 um 02:16 in
Nachricht 04E7C3A0-4B9E-4975-9B16-2381FE8D3B25@lbl.gov:
On Oct 1, 2020, at 3:27 PM, Quanah Gibson‑Mount quanah@symas.com wrote:
‑‑On Thursday, October 1, 2020 4:22 PM ‑0700 Scott Classen
<sclassen@lbl.gov
mailto:sclassen@lbl.gov> wrote:
Hello,
I'm having trouble understanding why I can't get a service account to reset a userPassword attribute.
ACLs are:
{0}to attrs=userPassword by self write by anonymous auth by * none {1}to * by self write by users read by dn.base="uid=pwreset,dc=example,dc=com" write by * none
But when the password reset utility attempts to modify the password I see the following 50 error, indicating that the ACL is somehow preventing the pwreset account from modifying userPassword
The above ACLs give no access to the userPassword attribute for the pwreset
DN.
{0}to attrs=userPassword by self write by anonymous auth by dn.base="uid=pwreset,dc=example,dc=com" write by * none {1}to * by self write by users read by * none
The above ACLs give the pwreset DN write access to the userPassword
attribute, but do not give any access to the psuedo "entry" attribute, which
is mandatory as documented in the slapd.access(5) man page.
Regards, Quanah
I added this as the first ACL and now things are working:
{0}to dn.subtree="ou=People,dc=example,dc=com" attrs=entry,userPassword by
dn.exact="uid=pwreset,dc=example,dc=com" write by * break
Hi!
Out of curiosity I had checked our ACLs finding that we do not have the "entry" part, but still everything is working for years. So I'd like to ask: In which version (if any) was that requirement added? Also I could not find the specific reference in my version of the manual page.
Regards, Ulrich