Re: Insufficient acces in some cases

Le 18/09/2018 à 18:11, Ervin Hegedüs a écrit :

Hi, there is an interesting insufficient access problem...

There are 3 (in dev environment 2) multimaster ldap node.

There is a simple web frontend, written in PHP, where user can change its own password, or can get a link to set up a new pass if old one had lost.

In some cases (some users) the user can't change the own password through PHP. When I change it from webserver with ldapmodify and a simple ldif file, it works as well.

But when I try to modify the passwd through PHP, I got "Insufficient access" error, and these lines are in syslog:

Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => access_allowed: search access to "uid=comp1_user1,ou=Users,ou=COMP1,dc=wificloud,dc=company,dc=hu" "objectClass" requested Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => dn: [2] ou=djp,dc=wificloud,dc=company,dc=hu Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => dnpat: [3] ou=(AH|Delta|Comp1|Comp2|Comp3),dc=wificloud,dc=company,dc=hu nsub: 1 Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => acl_get: [3] matched Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => acl_get: [3] attr objectClass Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => match[dn0]: 26 60 Sep 18 17:48:13 dev-ldap-01 slapd[12125]: o Sep 18 17:48:13 dev-ldap-01 slapd[12125]: u Sep 18 17:48:13 dev-ldap-01 slapd[12125]: = Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c Sep 18 17:48:13 dev-ldap-01 slapd[12125]: o Sep 18 17:48:13 dev-ldap-01 slapd[12125]: m Sep 18 17:48:13 dev-ldap-01 slapd[12125]: p Sep 18 17:48:13 dev-ldap-01 slapd[12125]: 1 Sep 18 17:48:13 dev-ldap-01 slapd[12125]: , Sep 18 17:48:13 dev-ldap-01 slapd[12125]: d Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c Sep 18 17:48:13 dev-ldap-01 slapd[12125]: = Sep 18 17:48:13 dev-ldap-01 slapd[12125]: w Sep 18 17:48:13 dev-ldap-01 slapd[12125]: i Sep 18 17:48:13 dev-ldap-01 slapd[12125]: f Sep 18 17:48:13 dev-ldap-01 slapd[12125]: i Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c Sep 18 17:48:13 dev-ldap-01 slapd[12125]: l Sep 18 17:48:13 dev-ldap-01 slapd[12125]: o Sep 18 17:48:13 dev-ldap-01 slapd[12125]: u Sep 18 17:48:13 dev-ldap-01 slapd[12125]: d Sep 18 17:48:13 dev-ldap-01 slapd[12125]: , Sep 18 17:48:13 dev-ldap-01 slapd[12125]: d Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c Sep 18 17:48:13 dev-ldap-01 slapd[12125]: = Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c Sep 18 17:48:13 dev-ldap-01 slapd[12125]: o Sep 18 17:48:13 dev-ldap-01 slapd[12125]: m Sep 18 17:48:13 dev-ldap-01 slapd[12125]: p Sep 18 17:48:13 dev-ldap-01 slapd[12125]: a Sep 18 17:48:13 dev-ldap-01 slapd[12125]: n Sep 18 17:48:13 dev-ldap-01 slapd[12125]: y Sep 18 17:48:13 dev-ldap-01 slapd[12125]: , Sep 18 17:48:13 dev-ldap-01 slapd[12125]: d Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c Sep 18 17:48:13 dev-ldap-01 slapd[12125]: = Sep 18 17:48:13 dev-ldap-01 slapd[12125]: h Sep 18 17:48:13 dev-ldap-01 slapd[12125]: u Sep 18 17:48:13 dev-ldap-01 slapd[12125]:

(I replaced names and chars, so the match[dn0] numbers are not correct).

Only few users can trigger this problem (don't know why), and only through PHP.

What's the problem here?

Hello,

I would say that the PHP application is sending some garbage to the directory. What application are you using for password change, is it LTB Self Service Password ?