[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL problem



On 11/1/05, Samuel Tran <stran@amnh.org> wrote:
> > But there's a weird problem, the "userPassword" of entries in
> > ou=People,dc=([^,]+),dc=com, either using my slapd admin account or
> > entries in ou=Admin,dc=$2,dc=com was invaild. I could successfully add
> > the "userPassword", but when I used the "Password" to auth (say,
> > ldapsearch), "ldap_bind: Invalid credentials (49)" showed up.
> >
> > All the entries not in ou=People,dc=([^,]+),dc=com can auth well. I
> > added a new rule and put it before "access to attrs=userPassword"
> > (slapd.conf default ACL):
> > access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$" attrs=userPassword
> >
> > Still the same :(
>
> Please could you post all your ACL rules?
>
> Try to add this rule before the other rule:
>
> access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$"
> attrs=userPassword
>         by dn.one,expand="ou=Admin,dc=$2,dc=com" write
>         by self write
>         by anonymous auth
>
> This will allow:
> - the admins to modify userPassword
> - the users to modify their own userPassword
> - anonymous to authenticate
>
> --
> Sam

Sorry for the inconvenient :)

My original ACL ("cn=admin,dc=com" is my slapd db admin account):
=========================snip1=========================
access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$" attrs=userPassword
        by dn="cn=admin,ou=vd" write
        by dn.one,expand="ou=Admin,dc=$2,dc=com" write
        by self write
        by anonymous auth

access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$"
        by dn="cn=admin,ou=vd" write
        by dn.one,expand="ou=Admin,dc=$2,dc=com" write
        by self write
        by anonymous auth

access to attrs=userPassword
        by dn="cn=admin,dc=com" write
        by anonymous auth
        by self write
        by * none

access to *
        by dn="cn=admin,dc=com" write
        by * none
=========================snip1=========================

But it still had the same problem, I could add or modify
"userPassword" attribute to entries in ou=People,dc=([^,]+),dc=com,
when auth it showed "Invalid credentials", just like typed wrong
password.

And I changed my ACL to:
=========================snip2=========================
access to dn.regex="ou=People,dc=([^,]+),dc=com"
        by dn="cn=admin,ou=vd" write
        by dn.regex,expand="ou=Admin,dc=$1,dc=com" write
        by self write
        by anonymous auth

access to attrs=userPassword
        by dn="cn=admin,dc=com" write
        by anonymous auth
        by self write
        by * none

access to *
        by dn="cn=admin,dc=com" write
        by * none
=========================snip2=========================

It seems that things are looking good now.

Thanks for your help, I really appreciated that :)
--
Thanks~