Hi,
I want to ldap users to change their password.
sample user dn is mail=edergi@.....mail......edu.trhttp://193.255.140.119/phpldapadmin/htdocs/cmd.php?cmd=template_engine&server_id=1&dn=mail%3Dedergi%40trakyamail.trakya.edu.tr%2Cou%3DKURUMSAL_SISTEMSEL%2Cjvd%3Dtrakyamail.trakya.edu.tr%2Co%3Dhosting%2Cdc%3Dmyhosting%2Cdc%3Dexample ,ou=http://193.255.140.119/phpldapadmin/htdocs/cmd.php?cmd=template_engine&server_id=1&dn=ou%3DKURUMSAL_SISTEMSEL%2Cjvd%3Dtrakyamail.trakya.edu.tr%2Co%3Dhosting%2Cdc%3Dmyhosting%2Cdc%3Dexample SOME_UNIT,jvd=.....mail.......edu.trhttp://193.255.140.119/phpldapadmin/htdocs/cmd.php?cmd=template_engine&server_id=1&dn=jvd%3Dtrakyamail.trakya.edu.tr%2Co%3Dhosting%2Cdc%3Dmyhosting%2Cdc%3Dexample ,o=hostinghttp://193.255.140.119/phpldapadmin/htdocs/cmd.php?cmd=template_engine&server_id=1&dn=o%3Dhosting%2Cdc%3Dmyhosting%2Cdc%3Dexample
and we have acl rules in slapd.conf
access to dn.regex=".*,ou=.*,jvd=([^,]+),o=hosting,dc=myhosting,dc=example" attrs=userPassword by self write by group/jammPostmaster/roleOccupant.expand="cn=postmaster,jvd=$1,o=hosting,dc=myhosting,dc=example" write by * auth by * none
access to dn.regex=".*jvd=([^,]+),o=hosting,dc=myhosting,dc=example" by self write by group/jammPostmaster/roleOccupant.expand="cn=postmaster,jvd=$1,o=hosting,dc=myhosting,dc=example" write by * read
access to * by * read
i apply various rules from openldap documentation, but no one works. why users can't chage their password ?
thanks in advance
Does an ACL rule in front of the rule prohibit the access to the specified rule?
suomi
On 2011-12-20 09:55, Selcuk Yazar wrote:
Hi,
I want to ldap users to change their password.
sample user dn is mail=edergi@.....mail......edu.tr http://193.255.140.119/phpldapadmin/htdocs/cmd.php?cmd=template_engine&server_id=1&dn=mail%3Dedergi%40trakyamail.trakya.edu.tr%2Cou%3DKURUMSAL_SISTEMSEL%2Cjvd%3Dtrakyamail.trakya.edu.tr%2Co%3Dhosting%2Cdc%3Dmyhosting%2Cdc%3Dexample,ou= http://193.255.140.119/phpldapadmin/htdocs/cmd.php?cmd=template_engine&server_id=1&dn=ou%3DKURUMSAL_SISTEMSEL%2Cjvd%3Dtrakyamail.trakya.edu.tr%2Co%3Dhosting%2Cdc%3Dmyhosting%2Cdc%3DexampleSOME_UNIT,jvd=.....mail.......edu.tr http://193.255.140.119/phpldapadmin/htdocs/cmd.php?cmd=template_engine&server_id=1&dn=jvd%3Dtrakyamail.trakya.edu.tr%2Co%3Dhosting%2Cdc%3Dmyhosting%2Cdc%3Dexample,o=hosting http://193.255.140.119/phpldapadmin/htdocs/cmd.php?cmd=template_engine&server_id=1&dn=o%3Dhosting%2Cdc%3Dmyhosting%2Cdc%3Dexample
and we have acl rules in slapd.conf
access to dn.regex=".*,ou=.*,jvd=([^,]+),o=hosting,dc=myhosting,dc=example" attrs=userPassword by self write by group/jammPostmaster/roleOccupant.expand="cn=postmaster,jvd=$1,o=hosting,dc=myhosting,dc=example" write by * auth by * none
access to dn.regex=".*jvd=([^,]+),o=hosting,dc=myhosting,dc=example" by self write by group/jammPostmaster/roleOccupant.expand="cn=postmaster,jvd=$1,o=hosting,dc=myhosting,dc=example" write by * read
access to * by * read
i apply various rules from openldap documentation, but no one works. why users can't chage their password ?
thanks in advance
-- Selçuk YAZAR
On Tuesday, 20 December 2011 10:55:12 Selcuk Yazar wrote:
Hi,
I want to ldap users to change their password.
sample user dn is mail=edergi@.....mail......edu.trhttp://193.255.140.119/phpldapadmin/htdoc s/cmd.php?cmd=template_engine&server_id=1&dn=mail%3Dedergi%40trakyamail.tra kya.edu.tr%2Cou%3DKURUMSAL_SISTEMSEL%2Cjvd%3Dtrakyamail.trakya.edu.tr%2Co%3 Dhosting%2Cdc%3Dmyhosting%2Cdc%3Dexample ,ou=http://193.255.140.119/phpldapadmin/htdocs/cmd.php?cmd=template_engin e&server_id=1&dn=ou%3DKURUMSAL_SISTEMSEL%2Cjvd%3Dtrakyamail.trakya.edu.tr%2 Co%3Dhosting%2Cdc%3Dmyhosting%2Cdc%3Dexample SOME_UNIT,jvd=.....mail.......edu.trhttp://193.255.140.119/phpldapadmin/h tdocs/cmd.php?cmd=template_engine&server_id=1&dn=jvd%3Dtrakyamail.trakya.ed u.tr%2Co%3Dhosting%2Cdc%3Dmyhosting%2Cdc%3Dexample ,o=hostinghttp://193.255.140.119/phpldapadmin/htdocs/cmd.php?cmd=template _engine&server_id=1&dn=o%3Dhosting%2Cdc%3Dmyhosting%2Cdc%3Dexample
and we have acl rules in slapd.conf
access to dn.regex=".*,ou=.*,jvd=([^,]+),o=hosting,dc=myhosting,dc=example" attrs=userPassword by self write by group/jammPostmaster/roleOccupant.expand="cn=postmaster,jvd=$1,o=hosting,dc =myhosting,dc=example" write by * auth by * none
access to dn.regex=".*jvd=([^,]+),o=hosting,dc=myhosting,dc=example" by self write by group/jammPostmaster/roleOccupant.expand="cn=postmaster,jvd=$1,o=hosting,dc =myhosting,dc=example" write by * read
access to * by * read
i apply various rules from openldap documentation, but no one works.
It is not clear whether your 'sample user dn' matches the regex in your first rule.
Why don't you provide a password changing attempt, done with 'ldappasswd', showing the full commandline, and all output.
why users can't chage their password ?
If you had provided the error code, we could have been relatively sure, but I will guess they don't have sufficient access because your regex isn't matching.
Regards, Buchan
Hi
here is my command
ldappasswd -h localhost -D "mail=edergi@.....mail.......edu.tr ,ou=SOME_UNIT,jvd=.....mail........edu.tr,o=hosting,dc=myhosting,dc=example" -w 123456 -a 123456 -s somepassowrd Result: Insufficient access (50)
AND debug output
(by the way how can i sure my regex match my entry, are the usefull regex tool for check this.) i chenged my regex with dn.regex=".*,jvd=([^,]+),o=hosting,dc=myhosting,dc=example"
thanks
----------------------------------------------------------------------------------------------------------------------------- conn=1000 op=1 PASSMOD old new bdb_dn2entry("mail=edergi@.......mail.........edu.tr ,ou=SOME_UNIT,jvd=.......mail.........edu.tr ,o=hosting,dc=myhosting,dc=example") => bdb_entry_get: ndn: "mail=edergi@.......mail.........edu.tr ,ou=SOME_UNIT,jvd=.......mail.........edu.tr ,o=hosting,dc=myhosting,dc=example" => bdb_entry_get: oc: "(null)", at: "userPassword" bdb_dn2entry("mail=edergi@.......mail.........edu.tr ,ou=SOME_UNIT,jvd=.......mail.........edu.tr ,o=hosting,dc=myhosting,dc=example") => bdb_entry_get: found entry: "mail=edergi@.......mail.........edu.tr ,ou=SOME_UNIT,jvd=.......mail.........edu.tr ,o=hosting,dc=myhosting,dc=example" bdb_entry_get: rc=0 => access_allowed: result not in cache (userPassword) => access_allowed: auth access to "mail=edergi@.......mail.........edu.tr ,ou=SOME_UNIT,jvd=.......mail.........edu.tr,o=hosting,dc=myhosting,dc=example" "userPassword" requested => slap_access_allowed: backend default auth access granted to "mail=edergi@ .......mail.........edu.tr,ou=SOME_UNIT,jvd=.......mail.........edu.tr ,o=hosting,dc=myhosting,dc=example" => access_allowed: auth access granted by read(=rscxd) => bdb_entry_get: ndn: "mail=edergi@.......mail.........edu.tr ,ou=SOME_UNIT,jvd=.......mail.........edu.tr ,o=hosting,dc=myhosting,dc=example" => bdb_entry_get: oc: "(null)", at: "(null)" bdb_dn2entry("mail=edergi@.......mail.........edu.tr ,ou=SOME_UNIT,jvd=.......mail.........edu.tr ,o=hosting,dc=myhosting,dc=example") => bdb_entry_get: found entry: "mail=edergi@.......mail.........edu.tr ,ou=SOME_UNIT,jvd=.......mail.........edu.tr ,o=hosting,dc=myhosting,dc=example" bdb_entry_get: rc=0 => bdb_entry_get: ndn: "cn=default,ou=policies,dc=myhosting,dc=example" => bdb_entry_get: oc: "(null)", at: "(null)" bdb_dn2entry("cn=default,ou=policies,dc=myhosting,dc=example") => bdb_entry_get: found entry: "cn=default,ou=policies,dc=myhosting,dc=example" bdb_entry_get: rc=0 bdb_modify: mail=edergi@.......mail.........edu.tr ,ou=SOME_UNIT,jvd=.......mail.........edu.tr ,o=hosting,dc=myhosting,dc=example slap_queue_csn: queing 0x7f31f34201d0 20111220095453.284620Z#000000#000#000000 bdb_dn2entry("mail=edergi@.......mail.........edu.tr ,ou=SOME_UNIT,jvd=.......mail.........edu.tr ,o=hosting,dc=myhosting,dc=example") bdb_modify_internal: 0x00000015: mail=edergi@.......mail.........edu.tr ,ou=SOME_UNIT,jvd=.......mail.........edu.tr ,o=hosting,dc=myhosting,dc=example => access_allowed: backend default write access denied to "mail=edergi@ .......mail.........edu.tr,ou=SOME_UNIT,jvd=.......mail.........edu.tr ,o=hosting,dc=myhosting,dc=example" bdb_modify: modify failed (50) send_ldap_result: conn=1000 op=1 p=3 ------------------------------------------------------------END ---------------------------------
On Tue, Dec 20, 2011 at 11:34 AM, Buchan Milne bgmilne@staff.telkomsa.netwrote:
On Tuesday, 20 December 2011 10:55:12 Selcuk Yazar wrote:
Hi,
I want to ldap users to change their password.
sample user dn is mail=edergi@.....mail......edu.tr<
http://193.255.140.119/phpldapadmin/htdoc
s/cmd.php?cmd=template_engine&server_id=1&dn=mail%3Dedergi%40trakyamail.tra
kya.edu.tr%2Cou%3DKURUMSAL_SISTEMSEL%2Cjvd%3Dtrakyamail.trakya.edu.tr
%2Co%3
Dhosting%2Cdc%3Dmyhosting%2Cdc%3Dexample> ,ou=<
http://193.255.140.119/phpldapadmin/htdocs/cmd.php?cmd=template_engin
e&server_id=1&dn=ou%3DKURUMSAL_SISTEMSEL%2Cjvd%
3Dtrakyamail.trakya.edu.tr%2
Co%3Dhosting%2Cdc%3Dmyhosting%2Cdc%3Dexample> SOME_UNIT,jvd=.....mail.......edu.tr<
http://193.255.140.119/phpldapadmin/h
tdocs/cmd.php?cmd=template_engine&server_id=1&dn=jvd%3Dtrakyamail.trakya.ed
u.tr%2Co%3Dhosting%2Cdc%3Dmyhosting%2Cdc%3Dexample> ,o=hosting<
http://193.255.140.119/phpldapadmin/htdocs/cmd.php?cmd=template
_engine&server_id=1&dn=o%3Dhosting%2Cdc%3Dmyhosting%2Cdc%3Dexample>
and we have acl rules in slapd.conf
access to
dn.regex=".*,ou=.*,jvd=([^,]+),o=hosting,dc=myhosting,dc=example"
attrs=userPassword by self write bygroup/jammPostmaster/roleOccupant.expand="cn=postmaster,jvd=$1,o=hosting,dc
=myhosting,dc=example" write by * auth by * none
access to dn.regex=".*jvd=([^,]+),o=hosting,dc=myhosting,dc=example" by self write by
group/jammPostmaster/roleOccupant.expand="cn=postmaster,jvd=$1,o=hosting,dc
=myhosting,dc=example" write by * read
access to * by * read
i apply various rules from openldap documentation, but no one works.
It is not clear whether your 'sample user dn' matches the regex in your first rule.
Why don't you provide a password changing attempt, done with 'ldappasswd', showing the full commandline, and all output.
why users can't chage their password ?
If you had provided the error code, we could have been relatively sure, but I will guess they don't have sufficient access because your regex isn't matching.
Regards, Buchan
On 2011-12-20 11:02, Selcuk Yazar wrote:
[...] (by the way how can i sure my regex match my entry, are the usefull regex tool for check this.) i chenged my regex with dn.regex=".*,jvd=([^,]+),o=hosting,dc=myhosting,dc=example"
Quick'n'dirty: use perl:
perl -n -e 'print $1 if /.*,jvd=([^,]+),/'
hth,
hi,,
ok my new regex is
access to dn.regex="(.*,ou=(.+),jvd=([^,]+),o=hosting,dc=myhosting,dc=example)"
this find my entry and at slapd.conf
access to dn.regex="(.*,ou=(.+),jvd=([^,]+),o=hosting,dc=myhosting,dc=example)" attrs=userPassword by self write by users write by anonymous auth by * none
and output like below, still gives no access write error, why is this so diffucult ?
selcuk
conn=1002 op=1 PASSMOD old new bdb_dn2entry("mail=edergi@.......mail.........edu.tr ,ou=LOWER_CASE_SOME_UNIT,jvd=.......mail.........edu.tr ,o=hosting,dc=myhosting,dc=example") => bdb_entry_get: ndn: "mail=edergi@.......mail.........edu.tr ,ou=LOWER_CASE_SOME_UNIT,jvd=.......mail.........edu.tr ,o=hosting,dc=myhosting,dc=example" => bdb_entry_get: oc: "(null)", at: "userPassword" bdb_dn2entry("mail=edergi@.......mail.........edu.tr ,ou=LOWER_CASE_SOME_UNIT,jvd=.......mail.........edu.tr ,o=hosting,dc=myhosting,dc=example") => bdb_entry_get: found entry: "mail=edergi@.......mail.........edu.tr ,ou=LOWER_CASE_SOME_UNIT,jvd=.......mail.........edu.tr ,o=hosting,dc=myhosting,dc=example" bdb_entry_get: rc=0 => access_allowed: result not in cache (userPassword) => access_allowed: auth access to "mail=edergi@.......mail.........edu.tr ,ou=SOME_UNIT,jvd=.......mail.........edu.tr,o=hosting,dc=myhosting,dc=example" "userPassword" requested daemon: activity on 1 descriptor => slap_access_allowed: backend default auth access granted to "mail=edergi@ .......mail.........edu.tr,ou=SOME_UNIT,jvd=.......mail.........edu.tr ,o=hosting,dc=myhosting,dc=example" => access_allowed: auth access granted by read(=rscxd) => bdb_entry_get: ndn: "mail=edergi@.......mail.........edu.tr ,ou=LOWER_CASE_SOME_UNIT,jvd=.......mail.........edu.tr ,o=hosting,dc=myhosting,dc=example" => bdb_entry_get: oc: "(null)", at: "(null)" bdb_dn2entry("mail=edergi@.......mail.........edu.tr ,ou=LOWER_CASE_SOME_UNIT,jvd=.......mail.........edu.tr ,o=hosting,dc=myhosting,dc=example") => bdb_entry_get: found entry: "mail=edergi@.......mail.........edu.tr ,ou=LOWER_CASE_SOME_UNIT,jvd=.......mail.........edu.tr ,o=hosting,dc=myhosting,dc=example" bdb_entry_get: rc=0 => bdb_entry_get: ndn: "cn=default,ou=policies,dc=myhosting,dc=example" => bdb_entry_get: oc: "(null)", at: "(null)" bdb_dn2entry("cn=default,ou=policies,dc=myhosting,dc=example") => bdb_entry_get: found entry: "cn=default,ou=policies,dc=myhosting,dc=example" bdb_entry_get: rc=0 bdb_modify: mail=edergi@.......mail.........edu.tr ,ou=SOME_UNIT,jvd=.......mail.........edu.tr ,o=hosting,dc=myhosting,dc=example slap_queue_csn: queing 0x7f2bc6d441d0 20111220141330.053597Z#000000#000#000000 bdb_dn2entry("mail=edergi@.......mail.........edu.tr ,ou=LOWER_CASE_SOME_UNIT,jvd=.......mail.........edu.tr ,o=hosting,dc=myhosting,dc=example") bdb_modify_internal: 0x00000015: mail=edergi@.......mail.........edu.tr ,ou=SOME_UNIT,jvd=.......mail.........edu.tr ,o=hosting,dc=myhosting,dc=example => access_allowed: backend default write access denied to "mail=edergi@ .......mail.........edu.tr,ou=SOME_UNIT,jvd=.......mail.........edu.tr ,o=hosting,dc=myhosting,dc=example" bdb_modify: modify failed (50)
On Tue, Dec 20, 2011 at 1:21 PM, Martin Schuster (IFKL IT OS DS CD) < Martin.Schuster1@infineon.com> wrote:
On 2011-12-20 11:02, Selcuk Yazar wrote:
[...] (by the way how can i sure my regex match my entry, are the usefull regex tool for check this.) i chenged my regex with dn.regex=".*,jvd=([^,]+),o=hosting,dc=myhosting,dc=example"
Quick'n'dirty: use perl:
perl -n -e 'print $1 if /.*,jvd=([^,]+),/'
hth,
Infineon Technologies IT-Services GmbH Martin.Schuster1@infineon.com Lakeside B05, 9020 Klagenfurt, Austria Martin Schuster FB: LG Klagenfurt, FN 246787y +43 5 1777 3517
--On Tuesday, December 20, 2011 4:28 PM +0200 Selcuk Yazar selcuk.yazar@gmail.com wrote:
access to dn.regex="(.*,ou=(.+),jvd=([^,]+),o=hosting,dc=myhosting,dc=example)" attrs=userPassword by self write by users write
"by users write" will allow any authenticated user to overwrite anyone's password. I'm guessing you really do *not* want this rule.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
anax -
Buchan Milne -
Martin Schuster (IFKL IT OS DS CD) -
Quanah Gibson-Mount -
Selcuk Yazar