[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access permissions

--On Thursday, August 16, 2007 12:19 PM -0500 Adam Williams <awilliam@mdah.state.ms.us> wrote:

I'm reading through Chapter 6 of the Openldap Software 2.3
Admninistrator's Guide, but I'm a little confused on access permissions.
I think my access permissions are wrong.

I have 2 users loaded in openldap, adam and testuser.  in slapd.conf I
have:

access to attrs=userPassword
        by self write
        by anonymous auth
        by dn.base="cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us"
write
        by * none
access to *
        by self write
        by dn.base="cn=Manager,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us"
write
        by * read

but adam can change testuser's password, and I want it so that a user can
only change their password and not someone else's:

[root@gomer ~]# su -l adam
[adam@gomer ~]$ ldapmodify -D
"uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxxx
-x -v -f changepasswd.ldif
ldap_initialize( <DEFAULT> )
replace userPassword:
        {CRYPT}xxxxxxxxxxxx
modifying entry
"uid=testuser,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us"
modify complete

Well, in your above example here, ADAM binds as TESTUSER not as ADAM, and so is able to change TESTUSERs password. I see no problem with your ACLs, only your test. I.e., all you have proven is that testuser can change their own password.

The correct test would be to do:

ldapmodify -D "uid=adam,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxx -x -v -f changepasswd.ldif

--Quanah


--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration