--On Thursday, October 1, 2020 4:22 PM -0700 Scott Classen <sclassen@lbl.gov> wrote:Hello,
I'm having trouble understanding why I can't get a service account to
reset a userPassword attribute.
ACLs are:
{0}to attrs=userPassword
by self write
by anonymous auth
by * none
{1}to *
by self write
by users read
by dn.base="uid=pwreset,dc=example,dc=com" write
by * none
But when the password reset utility attempts to modify the password I see
the following 50 error, indicating that the ACL is somehow preventing the
pwreset account from modifying userPassword
The above ACLs give no access to the userPassword attribute for the pwreset DN.
{0}to attrs=userPassword
by self write
by anonymous auth
by dn.base="uid=pwreset,dc=example,dc=com" write
by * none
{1}to *
by self write
by users read
by * none
The above ACLs give the pwreset DN write access to the userPassword attribute, but do not give any access to the psuedo "entry" attribute, which is mandatory as documented in the slapd.access(5) man page.Regards,Quanah
I added this as the first ACL and now things are working:
{0}to dn.subtree="ou=People,dc=example,dc=com" attrs=entry,userPassword by dn.exact="uid=pwreset,dc=example,dc=com" write by * break