I know this is an old issue and I've searched on the net and tried those, but haven't had any luck. I'm using openldap 2.3.43.
In /etc/openldap/slapd.conf, I have set:
access to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none
(Of course restarted the slapd), but no luck. Insufficient permissions.
The logs shows the account binding successfully, but then:
vm001 slapd[pid]: => access_allowed: backend default write access denied to "uid=james,ou=Users,o=dallas"
The complete logs are below. As a test I even tried giving global write access to the password, but it still doesn't work. (The only one who is able to change a users password is the Directory administrator)
General log: ------------ vm001 slapd[pid]: conn=2 fd=17 ACCEPT from IP=127.0.0.1:36479 (IP=0.0.0.0:389) vm001 slapd[pid]: conn=2 op=0 BIND dn="uid=james,ou=users,o=masprt" method=128 vm001 slapd[pid]: conn=2 op=0 BIND dn="uid=james,ou=users,o=masprt" mech=SIMPLE ssf=0 vm001 slapd[pid]: conn=2 op=0 RESULT tag=97 err=0 text= vm001 slapd[pid]: conn=2 op=1 PASSMOD id="uid=james,ou=users,o=masprt" new vm001 slapd[pid]: conn=2 op=2 UNBIND vm001 slapd[pid]: conn=2 op=1 RESULT oid= err=50 text= vm001 slapd[pid]: conn=2 fd=17 closed
With Debuging with ACL Listing: --------------------------------
vm001 slapd[pid]: conn=5 fd=16 ACCEPT from IP=127.0.0.1:47612 (IP=0.0.0.0:389) vm001 slapd[pid]: conn=5 op=0 BIND dn="uid=james,ou=users,o=masprt" method=128 vm001 slapd[pid]: => access_allowed: auth access to "uid=james,ou=Users,o=masprt" "userPassword" requested vm001 slapd[pid]: => access_allowed: backend default auth access granted to "(anonymous)" vm001 slapd[pid]: conn=5 op=0 BIND dn="uid=james,ou=Users,o=masprt" mech=SIMPLE ssf=0 vm001 slapd[pid]: conn=5 op=0 RESULT tag=97 err=0 text= vm001 slapd[pid]: conn=5 op=1 PASSMOD id="uid=james,ou=users,o=masprt" new vm001 slapd[pid]: => access_allowed: backend default write access denied to "uid=james,ou=Users,o=masprt" vm001 slapd[pid]: conn=5 op=1 RESULT oid= err=50 text= vm001 slapd[pid]: conn=5 op=2 UNBIND vm001 slapd[pid]: conn=5 fd=16 closed
Any help or idea would be appreciated.
thanks, James
On Thursday, 7 January 2010 12:49:24 James Hammett wrote:
I know this is an old issue and I've searched on the net and tried those, but haven't had any luck. I'm using openldap 2.3.43.
In /etc/openldap/slapd.conf, I have set:
access to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none
Please provide your entire (sanitised) slapd.conf as an attachment. We need to see all your ACLs, and be sure of whether leading white space is present or not ...
(IOW, I can't see anything wrong with what you have provided, but the error seems to indicate that your ACL is not being evaluated).
Regards, Buchan
I had copied the default config file's access line from line 70: access to *
And had placed it under the stanza mentioned below (in the database section), Since it included a space, it was considered a continuation of the previous line. Deleting the space(s) solved the problem. (I also deleted a space before the access line for the password attr).
Thanks to Buchan Milne, for pointing out my mistake.
later, James
James Hammett wrote:
I know this is an old issue and I've searched on the net and tried those, but haven't had any luck. I'm using openldap 2.3.43.
In /etc/openldap/slapd.conf, I have set:
access to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none
(Of course restarted the slapd), but no luck. Insufficient permissions.
The logs shows the account binding successfully, but then: vm001 slapd[pid]: => access_allowed: backend default write access denied to "uid=james,ou=Users,o=dallas"
The complete logs are below. As a test I even tried giving global write access to the password, but it still doesn't work. (The only one who is able to change a users password is the Directory administrator)
General log:
vm001 slapd[pid]: conn=2 fd=17 ACCEPT from IP=127.0.0.1:36479 (IP=0.0.0.0:389) vm001 slapd[pid]: conn=2 op=0 BIND dn="uid=james,ou=users,o=masprt" method=128 vm001 slapd[pid]: conn=2 op=0 BIND dn="uid=james,ou=users,o=masprt" mech=SIMPLE ssf=0 vm001 slapd[pid]: conn=2 op=0 RESULT tag=97 err=0 text= vm001 slapd[pid]: conn=2 op=1 PASSMOD id="uid=james,ou=users,o=masprt" new vm001 slapd[pid]: conn=2 op=2 UNBIND vm001 slapd[pid]: conn=2 op=1 RESULT oid= err=50 text= vm001 slapd[pid]: conn=2 fd=17 closed
With Debuging with ACL Listing:
vm001 slapd[pid]: conn=5 fd=16 ACCEPT from IP=127.0.0.1:47612 (IP=0.0.0.0:389) vm001 slapd[pid]: conn=5 op=0 BIND dn="uid=james,ou=users,o=masprt" method=128 vm001 slapd[pid]: => access_allowed: auth access to "uid=james,ou=Users,o=masprt" "userPassword" requested vm001 slapd[pid]: => access_allowed: backend default auth access granted to "(anonymous)" vm001 slapd[pid]: conn=5 op=0 BIND dn="uid=james,ou=Users,o=masprt" mech=SIMPLE ssf=0 vm001 slapd[pid]: conn=5 op=0 RESULT tag=97 err=0 text= vm001 slapd[pid]: conn=5 op=1 PASSMOD id="uid=james,ou=users,o=masprt" new vm001 slapd[pid]: => access_allowed: backend default write access denied to "uid=james,ou=Users,o=masprt" vm001 slapd[pid]: conn=5 op=1 RESULT oid= err=50 text= vm001 slapd[pid]: conn=5 op=2 UNBIND vm001 slapd[pid]: conn=5 fd=16 closed
Any help or idea would be appreciated.
thanks, James
openldap-technical@openldap.org
-
Buchan Milne -
James Hammett