Am Wed, 22 Jan 2014 18:14:22 -0700 schrieb Joshua Schaeffer jschaeffer0922@gmail.com:
Just now getting back to this. I ran the daemon in debug mode, then ran the passwd utility on a different server for my uid (got the same results as before and then terminated the daemon) and it output a lot on the acl's. I attached the full log file. Below is the tail end of the log:
=================================================== 52e068f8 <= acl_mask: [3] mask: read(=rscxd) 52e068f8 => slap_access_allowed: read access granted by read(=rscxd) 52e068f8 => access_allowed: read access granted by read(=rscxd) 52e068f8 => access_allowed: result not in cache (userPassword) 52e068f8 => access_allowed: read access to "uid=jschaeffer,ou=People,dc=harmonywave,dc=com" "userPassword" requested 52e068f8 => acl_get: [1] attr userPassword 52e068f8 => acl_mask: access to entry "uid=jschaeffer,ou=People,dc=harmonywave,dc=com", attr "userPassword" requested 52e068f8 => acl_mask: to value by "", (=0) 52e068f8 <= check a_dn_pat: self 52e068f8 <= check a_dn_pat: anonymous 52e068f8 <= acl_mask: [2] applying auth(=xd) (stop) 52e068f8 <= acl_mask: [2] mask: auth(=xd) 52e068f8 => slap_access_allowed: read access denied by auth(=xd) 52e068f8 => access_allowed: no more rules 52e068f8 send_search_entry: conn 1000 access to attribute userPassword, value #0 not allowed 52e068fb => bdb_entry_get: found entry: "uid=jschaeffer,ou=people,dc=harmonywave,dc=com" 52e068fb => bdb_entry_get: found entry: "cn=default,ou=policies,dc=harmonywave,dc=com" 52e068fb => access_allowed: result not in cache (userPassword) 52e068fb => access_allowed: auth access to "uid=jschaeffer,ou=People,dc=harmonywave,dc=com" "userPassword" requested 52e068fb => acl_get: [1] attr userPassword 52e068fb => acl_mask: access to entry "uid=jschaeffer,ou=People,dc=harmonywave,dc=com", attr "userPassword" requested 52e068fb => acl_mask: to value by "", (=0) 52e068fb <= check a_dn_pat: self 52e068fb <= check a_dn_pat: anonymous 52e068fb <= acl_mask: [2] applying auth(=xd) (stop) 52e068fb <= acl_mask: [2] mask: auth(=xd) 52e068fb => slap_access_allowed: auth access granted by auth(=xd)
[...]
There is an anonymous trying to read a userPassword (and probably trying to modifying it afterwards). Acording to your access rules only auth permissions are granted to anonymous.
-Dieter
Well I'm not sure what I didreally. I uninstalled libpam-ldap and reinstalled libpam-ldapd on my client machine, I then made sure I had the following in the /etc/nslcd.conf file:
============================================ # The DN used for password modifications by root. rootpwmoddn cn=admin,dc=harmonywave,dc=com ============================================
and now it's allowing me to login and change my password. Maybe I didn't have this configured correctly when I first installed libpam-ldapd. I also tried changing my password again, which shouldn't be allowed (pwdMinAge: 86400 - 1day) and it did give me an error:
password change failed: Constraint violation passwd: Authentication token manipulation error
I'm assuming this is because of the ppolicy overlay. I have to run off to work so I won't be able to do my own searching on whether this is correct or not until tonight, however, I just thought I'd ask if it is possible to display a more user friendly error message, such as: attempt to change password too frequently....
Thanks, Josh
On 01/23/2014 12:53 AM, Dieter Klünter wrote:
slap_access_allowed: auth access granted by auth(=xd)
openldap-technical@openldap.org
-
Dieter Klünter -
Joshua Schaeffer