Hello,
I am trying to allow users to change their own passwords
OS RHEL7 Openldap version 2.4.39-7.el7_1.x86_64
ACL in slapd.conf
disallow bind_anon
access to attrs=userPassword by self write by dn.base="cn=mirrormode,dc=rnd,dc=com" read by dn.base="cn=binduser,dc=rnd,dc=com" read by * auth
access to * by dn.base="cn=mirrormode,dc=rnd,dc=com" read by dn.base="cn=binduser,dc=rnd,dc=com" read by * break
access to * by dn="cn=Manager,dc=rnd,dc=com" by users read by self write by * auth
from client machine 'user5' is trying to change own password and getting following error
$ ldappasswd -H ldaps://ldapdev.rnd.com:636 -x -D "cn=user 5,ou=people,dc=rnd,dc=com" -W -A -S Old password: Re-enter old password: New password: Re-enter new password: Enter LDAP Password: Result: Insufficient access (50) Additional info: User alteration of password is not allowed
This error looks like issue with permissions, yet i have already allowed access to attrs=userPassword by self write in slapd.conf, please let me know if there is any thing wrong in above ACL and why i am getting this error
Thanks & Regards Raj =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you
Hello,
My users are allowed to modify their own passwords. My ACL is set like this:
olcAccess: {0} to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn.exact="cn=admin,dc=group,dc=ldap" write by * none
olcAccess: {1} to * by * read
Though not the perfect configuration but it works. In yours, I don't see the userPassword attribute.
John D. Borresen (Dave)
Email: mailto:john.borresen@ll.mit.edu john.borresen@ll.mit.edu
From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Rajagopal Rc Sent: Wednesday, December 23, 2015 2:04 AM To: openldap-technical@openldap.org Subject: Issue while changing user password by self
Hello,
I am trying to allow users to change their own passwords
OS RHEL7 Openldap version 2.4.39-7.el7_1.x86_64
ACL in slapd.conf
disallow bind_anon
access to attrs=userPassword by self write by dn.base="cn=mirrormode,dc=rnd,dc=com" read by dn.base="cn=binduser,dc=rnd,dc=com" read by * auth
access to * by dn.base="cn=mirrormode,dc=rnd,dc=com" read by dn.base="cn=binduser,dc=rnd,dc=com" read by * break
access to * by dn="cn=Manager,dc=rnd,dc=com" by users read by self write by * auth
from client machine 'user5' is trying to change own password and getting following error
$ ldappasswd -H ldaps://ldapdev.rnd.com:636 -x -D "cn=user 5,ou=people,dc=rnd,dc=com" -W -A -S Old password: Re-enter old password: New password: Re-enter new password: Enter LDAP Password: Result: Insufficient access (50) Additional info: User alteration of password is not allowed
This error looks like issue with permissions, yet i have already allowed access to attrs=userPassword by self write in slapd.conf, please let me know if there is any thing wrong in above ACL and why i am getting this error
Thanks & Regards Raj
=====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you
From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Borresen, John - 0444 - MITLL Sent: Wednesday, December 23, 2015 10:13 AM To: openldap-technical@openldap.org Subject: RE: Issue while changing user password by self
Hello,
My users are allowed to modify their own passwords. My ACL is set like this:
olcAccess: {0} to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn.exact="cn=admin,dc=group,dc=ldap" write by * none olcAccess: {1} to * by * read
Though not the perfect configuration but it works. In yours, I don't see the userPassword attribute.
You might want to rethink this - you are exposing users passwords to everyone
What would be your recommendation?
Thanks,
John D. Borresen (Dave)
From: Craig White [mailto:CWhite@skytouchtechnology.com] Sent: Wednesday, December 23, 2015 12:27 PM To: Borresen, John - 0444 - MITLL; openldap-technical@openldap.org Subject: RE: Issue while changing user password by self
From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Borresen, John - 0444 - MITLL Sent: Wednesday, December 23, 2015 10:13 AM To: openldap-technical@openldap.org Subject: RE: Issue while changing user password by self
Hello,
My users are allowed to modify their own passwords. My ACL is set like this:
olcAccess: {0} to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn.exact="cn=admin,dc=group,dc=ldap" write by * none
olcAccess: {1} to * by * read
Though not the perfect configuration but it works. In yours, I don't see the userPassword attribute.
You might want to rethink this - you are exposing users passwords to everyone
Hi,
There is a userPassword attribute access in slapd.conf
access to attrs=userPassword by self write by dn.base="cn=mirrormode,dc=rnd,dc=com" read by dn.base="cn=binduser,dc=rnd,dc=com" read by * auth
This user has been assigned with different ppolicy and all other users are assigned default ppolicy
The issue is resolved after setting pwdAllowUserChange attribute to TRUE in ppolicy
You might want to rethink this – you are exposing users passwords to everyone
I am curious about your view on exposing users passwords to everyone, please let me know which part of my ACL you see it.
Thanks & Regards Raj
From: Craig White CWhite@skytouchtechnology.com To: "Borresen, John - 0444 - MITLL" John.Borresen@ll.mit.edu, "openldap-technical@openldap.org" openldap-technical@openldap.org Date: 12/23/2015 10:58 PM Subject: RE: Issue while changing user password by self Sent by: "openldap-technical" openldap-technical-bounces@openldap.org
From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Borresen, John - 0444 - MITLL Sent: Wednesday, December 23, 2015 10:13 AM To: openldap-technical@openldap.org Subject: RE: Issue while changing user password by self
Hello,
My users are allowed to modify their own passwords. My ACL is set like this:
olcAccess: {0} to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn.exact=”cn=admin,dc=group,dc=ldap” write by * none olcAccess: {1} to * by * read
Though not the perfect configuration but it works. In yours, I don’t see the userPassword attribute. You might want to rethink this – you are exposing users passwords to everyone
=====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you
Le 23/12/2015 08:04, Rajagopal Rc a écrit :
Hello,
I am trying to allow users to change their own passwords
OS RHEL7 Openldap version 2.4.39-7.el7_1.x86_64*ACL in slapd.conf*
disallow bind_anon*access to attrs=userPassword*
by self write* by dn.base="cn=mirrormode,dc=rnd,dc=com" read by dn.base="cn=binduser,dc=rnd,dc=com" read by * authaccess to * by dn.base="cn=mirrormode,dc=rnd,dc=com" read by dn.base="cn=binduser,dc=rnd,dc=com" read by * break
access to * by dn="cn=Manager,dc=rnd,dc=com" by users read by self write by * auth
from client machine 'user5' is trying to change own password and getting following error
$ ldappasswd -H ldaps://ldapdev.rnd.com:636 -x -D "cn=user 5,ou=people,dc=rnd,dc=com" -W -A -S Old password: Re-enter old password: New password: Re-enter new password: Enter LDAP Password: Result: Insufficient access (50) Additional info: User alteration of password is not allowed
This error looks like issue with permissions, yet i have already allowed *access to attrs=userPassword by self write *in slapd.conf, please let me know if there is any thing wrong in above ACL and why i am getting this error
This may be linked to your configuration of ppolicy overlay. Check the pwdAllowUserChange attribute of your policy entry, it should be set to TRUE.
Thanks for you response, Yes you are right the issue was with ppolicy pwdAllowUserChange attribute as it was set to FALSE, it is working fine now after changing it to TRUE
Thanks & Regards Raj
From: Clément OUDOT clement.oudot@savoirfairelinux.com To: openldap-technical@openldap.org Date: 12/23/2015 10:57 PM Subject: Re: Issue while changing user password by self Sent by: "openldap-technical" openldap-technical-bounces@openldap.org
Le 23/12/2015 08:04, Rajagopal Rc a écrit : Hello,
I am trying to allow users to change their own passwords
OS RHEL7 Openldap version 2.4.39-7.el7_1.x86_64
ACL in slapd.conf
disallow bind_anon
access to attrs=userPassword by self write by dn.base="cn=mirrormode,dc=rnd,dc=com" read by dn.base="cn=binduser,dc=rnd,dc=com" read by * auth
access to * by dn.base="cn=mirrormode,dc=rnd,dc=com" read by dn.base="cn=binduser,dc=rnd,dc=com" read by * break
access to * by dn="cn=Manager,dc=rnd,dc=com" by users read by self write by * auth
from client machine 'user5' is trying to change own password and getting following error
$ ldappasswd -H ldaps://ldapdev.rnd.com:636 -x -D "cn=user 5,ou=people,dc=rnd,dc=com" -W -A -S Old password: Re-enter old password: New password: Re-enter new password: Enter LDAP Password: Result: Insufficient access (50) Additional info: User alteration of password is not allowed
This error looks like issue with permissions, yet i have already allowed access to attrs=userPassword by self write in slapd.conf, please let me know if there is any thing wrong in above ACL and why i am getting this error
This may be linked to your configuration of ppolicy overlay. Check the pwdAllowUserChange attribute of your policy entry, it should be set to TRUE.
openldap-technical@openldap.org
-
Borresen, John - 0444 - MITLL -
Clément OUDOT -
Craig White -
Rajagopal Rc