Thanks for you response, Yes you are right the issue was with ppolicy pwdAllowUserChange attribute as it was set to FALSE, it is working fine now after changing it to TRUE
Thanks & Regards Raj
From: Clément OUDOT clement.oudot@savoirfairelinux.com To: openldap-technical@openldap.org Date: 12/23/2015 10:57 PM Subject: Re: Issue while changing user password by self Sent by: "openldap-technical" openldap-technical-bounces@openldap.org
Le 23/12/2015 08:04, Rajagopal Rc a écrit : Hello,
I am trying to allow users to change their own passwords
OS RHEL7 Openldap version 2.4.39-7.el7_1.x86_64
ACL in slapd.conf
disallow bind_anon
access to attrs=userPassword by self write by dn.base="cn=mirrormode,dc=rnd,dc=com" read by dn.base="cn=binduser,dc=rnd,dc=com" read by * auth
access to * by dn.base="cn=mirrormode,dc=rnd,dc=com" read by dn.base="cn=binduser,dc=rnd,dc=com" read by * break
access to * by dn="cn=Manager,dc=rnd,dc=com" by users read by self write by * auth
from client machine 'user5' is trying to change own password and getting following error
$ ldappasswd -H ldaps://ldapdev.rnd.com:636 -x -D "cn=user 5,ou=people,dc=rnd,dc=com" -W -A -S Old password: Re-enter old password: New password: Re-enter new password: Enter LDAP Password: Result: Insufficient access (50) Additional info: User alteration of password is not allowed
This error looks like issue with permissions, yet i have already allowed access to attrs=userPassword by self write in slapd.conf, please let me know if there is any thing wrong in above ACL and why i am getting this error
This may be linked to your configuration of ppolicy overlay. Check the pwdAllowUserChange attribute of your policy entry, it should be set to TRUE.