[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6270) Conflict between ppolicy (pwdReset flag) and unique overlays

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6270) Conflict between ppolicy (pwdReset flag) and unique overlays
From: hyc@symas.com
Date: Mon, 30 Nov 2009 05:15:34 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

clem.oudot@gmail.com wrote:
> Full_Name: Clement OUDOT
> Version: 2.4.16
> OS: RHEL 5.2
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (83.145.72.122)
>
>
> Hello,
>
> I use both ppolicy and unique overlays.
>
> I try to modify the password of an account whose pwdReset attribute is set to
> TRUE. I get this LDAP error:
>
> ldap_modify: Insufficient access (50)
>          additional info: unique_search failed
>
> In OpenLDAP logs, we can see:
>
> connection restricted to password changing only
> send_ldap_result: conn=20 op=2 p=3
> send_ldap_result: err=50 matched="" text="Operations are restricted to
> bind/unbind/abandon/StartTLS/modify password"
> send_ldap_result: conn=20 op=2 p=3
> send_ldap_result: err=50 matched="" text="unique_search failed"
> send_ldap_response: msgid=3 tag=103 err=50
>
>
> So it seems the unique overlay cannot do a search because the connection is
> restricted by the ppolicy overlay.

Given the configuration you provided, this should now be fixed with the 
unique.c in CVS HEAD.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: (ITS#6404) tests return success on failure
Next by Date: ITS#6379 published: SECURITY: Incorrect handling of '\0' in postal address
Index(es):
- Chronological
- Thread