On Oct 1, 2020, at 3:27 PM, Quanah Gibson-Mount <quanah@symas.com> wrote:



--On Thursday, October 1, 2020 4:22 PM -0700 Scott Classen <sclassen@lbl.gov> wrote:

Hello,

I'm having trouble understanding why I can't get a service account to
reset a userPassword attribute.

ACLs are:

{0}to attrs=userPassword
     by self write
     by anonymous auth
     by * none
{1}to *
     by self write
     by users read
     by dn.base="uid=pwreset,dc=example,dc=com" write
     by * none


But when the password reset utility attempts to modify the password I see
the following 50 error, indicating that the ACL is somehow preventing the
pwreset account from modifying userPassword

The above ACLs give no access to the userPassword attribute for the pwreset DN.


{0}to attrs=userPassword
     by self write
     by anonymous auth
     by dn.base="uid=pwreset,dc=example,dc=com" write
     by * none
{1}to *
     by self write
     by users read
     by * none

The above ACLs give the pwreset DN write access to the userPassword attribute, but do not give any access to the psuedo "entry" attribute, which is mandatory as documented in the slapd.access(5) man page.

Regards,
Quanah


I added this as the first ACL and now things are working:

{0}to dn.subtree="ou=People,dc=example,dc=com" attrs=entry,userPassword  by dn.exact="uid=pwreset,dc=example,dc=com" write by * break