Hi,
On Tue, Sep 18, 2018 at 11:21:07PM +0200, Clément OUDOT wrote:
Le 18/09/2018 à 23:10, Ervin Hegedüs a écrit :
Hi,
On Tue, Sep 18, 2018 at 10:34:55PM +0200, Clément OUDOT wrote:
Le 18/09/2018 à 22:23, Ervin Hegedüs a écrit :
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn="uid=_srvuser1,ou=Users,ou=_srv,dc=hu" write by anonymous auth by * none olcAccess: {1}to dn.subtree="ou=OU1,dc=service1,dc=bigcompany,dc=hu" by dn="uid=_srvuser2,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read by dn="uid=_srvuser3,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read by dn="uid=_srvuser4,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read by dn="uid=_srvproftpd,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read by dn="uid=_srvuser1,ou=Users,ou=_srv,dc=hu" write by * none olcAccess: {2}to dn.regex="ou=(comp1|comp2|comp3),dc=service1,dc=bigcompany,dc=hu" by dn="uid=_srvuser2,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read by dn="uid=_srvuser3,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read by dn="uid=_srvuser4,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read by dn="uid=_srvproftpd,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read by dn="uid=_srvuser1,ou=Users,ou=_srv,dc=hu" write by * none olcAccess: {3}to dn.subtree="dc=bigcompany,dc=hu" by dn="uid=_srvuser3,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read by dn="uid=_srvuser4,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read by dn="uid=_srvproftpd,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read by dn="uid=_srvuser1,ou=Users,ou=_srv,dc=hu" write by * none olcAccess: {4}to * by self write by anonymous auth by dn="uid=_srvuser1,ou=Users,ou=_srv,dc=hu" write by * none
Are you sure that a user can modify userPassword and sambaNT/LM password attributes?
yes, I'm sure.
The NT/LM password attribures aren't named any place, the userPassword is, but all user can modify its own - see ACL's above.
No, the olcAccess {3} deny all access inside dc=bigcompany,dc=hu, the rule {4} is never evaluated.
well, you're right - but then how does it works for other users?
It's too late here (.hu), I'll check it again tomorrow.
And as I wrote in first mail, the simple "ldapmodify" works as well.
Do you test to modify only userPassword attribute? Or your modification is also on Samba attributes?
no, I just put the userPassword attribute,
And more important, the other users under the same OU can change their own userpassword/nt/lm password attributes through PHP.
I don't how, because your ACL allow only userPassword modification for 'self'.
yes, that's very interesting.
and one important thing: if this issue is a "simple" ACL problem, why logs slapd an interesting lines (one char in a line)? Why just deny the access...?
The service user (_srvuser1) also can modify (through PHP), but I'ld like to use as the logged user modify its own passwd.
I think you should merge your ACL like this:
olcAccess: {3}to dn.subtree="dc=bigcompany,dc=hu" by dn="uid=_srvuser3,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read by dn="uid=_srvuser4,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read by dn="uid=_srvproftpd,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read by dn="uid=_srvuser1,ou=Users,ou=_srv,dc=hu" write by self write by * none
thanks, as I wrote, it's too late here to focus the problem, I'll check it tomorrow with fresh brain :).
Thanks for all,
a.