Hello,
I'll appreciate it if any of you are willing to take time and share with me your experience with OpenLDAP running on a RedHat server configured with group ACL.
I'm trying to grant a group of people (including myself) the permission to change user LDAP passwords. However, when I try to change a user's LDAP password, I received the following message:
Result: Insufficient access (50)
The command that I used was:
ldappasswd -x -W -D "uid=l_luke,ou=Netgroup,dc=mydomain,dc=com" -S "uid=w_smith,ou=People,dc=mydomain,dc=com"
My ACL settings in the slapd.conf file are:
access to attr=userPassword by self write by anonymous auth by group.exact="cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com" write by * none access to * by self write by group.exact="cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com" write by * read
My netgroup has been defined as the following:
dn: cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com objectClass: nisNetgroup objectClass: top cn: ITgroup nisNetgroupTriple: (,l_luke,mydomain.com) nisNetgroupTriple: (,w_smith,mydomain.com) nisNetgroupTriple: (,g_baker,mydomain.com) description: Password Keepers
My user entry is:
# l_luke, People mydomain.com dn: uid=l_luke,ou=People,dc=mydomain,dc=com uid: l_luke cn: l_luke objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 13958 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 10005 gidNumber: 10005 homeDirectory: /home/l_luke gecos: Luke Lee
Can anyone point me to the right direction or share with me the correct group ACL settings that you have? Thanks!
____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs
Hello,
I'll appreciate it if any of you are willing to take time and share with me your experience with OpenLDAP running on a RedHat server configured with group ACL.
I'm trying to grant a group of people (including myself) the permission to change user LDAP passwords. However, when I try to change a user's LDAP password, I received the following message:
Result: Insufficient access (50)
The command that I used was:
ldappasswd -x -W -D "uid=l_luke,ou=Netgroup,dc=mydomain,dc=com" -S "uid=w_smith,ou=People,dc=mydomain,dc=com"
My ACL settings in the slapd.conf file are:
access to attr=userPassword by self write by anonymous auth by group.exact="cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com" write by * none access to * by self write by group.exact="cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com" write by * read
My netgroup has been defined as the following:
dn: cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com objectClass: nisNetgroup objectClass: top cn: ITgroup nisNetgroupTriple: (,l_luke,mydomain.com) nisNetgroupTriple: (,w_smith,mydomain.com) nisNetgroupTriple: (,g_baker,mydomain.com) description: Password Keepers
My user entry is:
# l_luke, People mydomain.com dn: uid=l_luke,ou=People,dc=mydomain,dc=com uid: l_luke cn: l_luke objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 13958 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 10005 gidNumber: 10005 homeDirectory: /home/l_luke gecos: Luke Lee
Can anyone point me to the right direction or share with me the correct group ACL settings that you have? Thanks!
As indicated in slapd.access(5), the member attribute must have either distinguishedName syntax (or nameAndOptionalUID syntax) or be derivated from memberURL; it defaults to "member". It appears from your message that you expect "nisNetgroupTriple" to be used as member attribute, but you should specify that attribute in the ACL clause. However, "nisNetgroupTriple" wouldn't be allowed since it doesn't comply with the above restrictions. You need to use LDAP groups for access control; nisNetGroup objects don't fit.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
openldap-technical@openldap.org
-
Luke Lee -
Pierangelo Masarati