Hi,
Ok
my rule is access to dn.regex="^mail=([^,]+),ou=([^,]+),jvd=([^,]+),o=hosting,dc=myhosting,dc=example$" attrs=userPassword by dn.exact="mail=$1,ou=$2,jvd=$3,o=hosting,dc=myhosting,dc=example" write by dn.exact,expand="mail=$1,ou=$2,jvd=$3,o=hosting,dc=myhosting,dc=example" read by dn="cn=Manager,dc=myhosting,dc=example" write by users none by * none
this doesn't work , users can't change their own password.
Also try this;
access to attrs=userpassword by self write by anonymous auth by dn="cn=Manager,dc=myhosting,dc=example" write by users none by * none
doesn't work again.
open ldap have another parameter for these things ???
?? On Tue, Dec 20, 2011 at 8:56 PM, Quanah Gibson-Mount quanah@zimbra.comwrote:
--On Tuesday, December 20, 2011 4:28 PM +0200 Selcuk Yazar < selcuk.yazar@gmail.com> wrote:
access to
dn.regex="(.*,ou=(.+),jvd=([^,**]+),o=hosting,dc=myhosting,dc=**example)" attrs=userPassword by self write by users write
"by users write" will allow any authenticated user to overwrite anyone's password. I'm guessing you really do *not* want this rule.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc.
Zimbra :: the leader in open source messaging and collaboration
Am Wed, 21 Dec 2011 13:47:11 +0200 schrieb Selcuk Yazar selcuk.yazar@gmail.com:
Hi,
Ok
my rule is access to dn.regex="^mail=([^,]+),ou=([^,]+),jvd=([^,]+),o=hosting,dc=myhosting,dc=example$" attrs=userPassword by dn.exact="mail=$1,ou=$2,jvd=$3,o=hosting,dc=myhosting,dc=example" write by dn.exact,expand="mail=$1,ou=$2,jvd=$3,o=hosting,dc=myhosting,dc=example" read by dn="cn=Manager,dc=myhosting,dc=example" write by users none by * none
this doesn't work , users can't change their own password.
run slapacl(8) to test your access rules, or just run slapd with -dacl this will show you slapd parsing your access rules.
-Dieter
My problem is about Redhat :(
if I wantto apply slapd.conf changes, i must run
/bin/rm -rf /etc/openldap/slapd.d/*
/usr/sbin/slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d /bin/chown -R ldap:ldap /etc/openldap/slapd.d /bin/chmod -R 000 /etc/openldap/slapd.d /bin/chmod -R u+rwX /etc/openldap/slapd.d
commands
after that my config is running.
thank you.
selcuk
On Thu, Dec 22, 2011 at 2:10 PM, Dieter Klünter dieter@dkluenter.de wrote:
Am Wed, 21 Dec 2011 13:47:11 +0200 schrieb Selcuk Yazar selcuk.yazar@gmail.com:
Hi,
Ok
my rule is access to
dn.regex="^mail=([^,]+),ou=([^,]+),jvd=([^,]+),o=hosting,dc=myhosting,dc=example$"
attrs=userPassword bydn.exact="mail=$1,ou=$2,jvd=$3,o=hosting,dc=myhosting,dc=example" write by dn.exact,expand="mail=$1,ou=$2,jvd=$3,o=hosting,dc=myhosting,dc=example" read by dn="cn=Manager,dc=myhosting,dc=example" write by users none by * none
this doesn't work , users can't change their own password.
run slapacl(8) to test your access rules, or just run slapd with -dacl this will show you slapd parsing your access rules.
-Dieter
-- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
On Friday, 23 December 2011 11:05:17 Selcuk Yazar wrote:
My problem is about Redhat :(
No.
OpenLDAP supports a new configuration method. It seems you haven't read any documentation about it.
RHEL6 defaults to using this configuration method, but you don't *have* to use it.
if I wantto apply slapd.conf changes, i must run
/bin/rm -rf /etc/openldap/slapd.d/*
If at this point you restart slapd, it will just use slapd.conf ...
/usr/sbin/slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d
But this step is supposed to be a one-time conversion, assuming you have a 'database config' statement, which has a 'rootpw' option, you should be able to edit your configuration and have changes applied immediately, without restarting slapd, by using e.g. ldapmodify (or any GUI tool) by modifying the entries under cn=config.
Please at least read 'man slapd-config' rather than continuing. Either edit slapd.conf, and don't use cn=config, or only use cn=config, and never edit configuration files.
Regards, Buchan
openldap-technical@openldap.org
-
Buchan Milne -
Dieter Klünter -
Selcuk Yazar