On Oct 1, 2020, at 3:27 PM, Quanah Gibson-Mount quanah@symas.com wrote:
--On Thursday, October 1, 2020 4:22 PM -0700 Scott Classen <sclassen@lbl.gov mailto:sclassen@lbl.gov> wrote:
Hello,
I'm having trouble understanding why I can't get a service account to reset a userPassword attribute.
ACLs are:
{0}to attrs=userPassword by self write by anonymous auth by * none {1}to * by self write by users read by dn.base="uid=pwreset,dc=example,dc=com" write by * none
But when the password reset utility attempts to modify the password I see the following 50 error, indicating that the ACL is somehow preventing the pwreset account from modifying userPassword
The above ACLs give no access to the userPassword attribute for the pwreset DN.
{0}to attrs=userPassword by self write by anonymous auth by dn.base="uid=pwreset,dc=example,dc=com" write by * none {1}to * by self write by users read by * none
The above ACLs give the pwreset DN write access to the userPassword attribute, but do not give any access to the psuedo "entry" attribute, which is mandatory as documented in the slapd.access(5) man page.
Regards, Quanah
I added this as the first ACL and now things are working:
{0}to dn.subtree="ou=People,dc=example,dc=com" attrs=entry,userPassword by dn.exact="uid=pwreset,dc=example,dc=com" write by * break