Hi,
thanks for reply,
On Tue, Sep 18, 2018 at 09:40:00PM +0200, Clément OUDOT wrote:
Le 18/09/2018 à 18:11, Ervin Hegedüs a écrit :
Hi, there is an interesting insufficient access problem...
There are 3 (in dev environment 2) multimaster ldap node.
There is a simple web frontend, written in PHP, where user can change its own password, or can get a link to set up a new pass if old one had lost.
In some cases (some users) the user can't change the own password through PHP. When I change it from webserver with ldapmodify and a simple ldif file, it works as well.
But when I try to modify the passwd through PHP, I got "Insufficient access" error, and these lines are in syslog:
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => access_allowed: search access to "uid=comp1_user1,ou=Users,ou=COMP1,dc=wificloud,dc=company,dc=hu" "objectClass" requested Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => dn: [2] ou=djp,dc=wificloud,dc=company,dc=hu Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => dnpat: [3] ou=(AH|Delta|Comp1|Comp2|Comp3),dc=wificloud,dc=company,dc=hu nsub: 1 Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => acl_get: [3] matched Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => acl_get: [3] attr objectClass Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => match[dn0]: 26 60 Sep 18 17:48:13 dev-ldap-01 slapd[12125]: o Sep 18 17:48:13 dev-ldap-01 slapd[12125]: u
...
Sep 18 17:48:13 dev-ldap-01 slapd[12125]: d Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c Sep 18 17:48:13 dev-ldap-01 slapd[12125]: = Sep 18 17:48:13 dev-ldap-01 slapd[12125]: h Sep 18 17:48:13 dev-ldap-01 slapd[12125]: u Sep 18 17:48:13 dev-ldap-01 slapd[12125]:
I would say that the PHP application is sending some garbage to the directory. What application are you using for password change, is it LTB Self Service Password ?
no, that's a custom development, which will be extend with many other features - no matter now.
But then I don't understand, why comes this error only few users (total number of users is about 200 now, we know about 2-3 affected user).
Anyway, I thought it also what you wrote, and switched back to native LDAP (instead of LDAPS), and make a capture at LDAP side.
There aren't any garbage in packets, all request contains absolutely normal lines... If you interesting about it, I can send you a cap file - but that contains sensitive datas, of course.
I just can share some screenshots about the traffic, hope it seems that no other garbage:
https://www.dropbox.com/sh/x8ol6cfc39zj7cp/AADCo3CgcHPQnvOre4hjuULpa
Thanks again,
a.