[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy pwdReset

Hi,

Ok, I'll just read again that FAQ. Check this complete log of ppolicy with/without smbk5pwd overlay. Or maybe just another pam_ldap bug

1. change passwd before entering new password
# passwd techsupport
Enter login(LDAP) password:

smbk5pwd+ppolicy log: http://pastebin.com/m7dce205a
ppolicy log: http://pastebin.com/m18f72eb6

2. enter new password
New password:
Re-enter new password:
LDAP password information update failed: Insufficient access
Operations are restricted to bind/unbind/abandon/StartTLS/modify password
passwd: Permission denied
passwd: password unchanged

smbk5pwd+ppolicy log: http://pastebin.com/m4f98884e
ppolicy log: http://pastebin.com/m2fe93f63

If you look into step 1 anomymous is applied as well, without smbk5pwd and pwdReset update is successful. In step 2 there you can see the difference, if its acl problem can someone suggest a working acl(minimal) with smbk5pwd+ppolicy+pwdReset...

thanks
grexk
--- On Mon, 7/28/08, Dieter Kluenter <dieter@dkluenter.de> wrote:
From: Dieter Kluenter <dieter@dkluenter.de>
Subject: Re: ppolicy pwdReset
To: openldap-software@openldap.org
Date: Monday, July 28, 2008, 3:06 PM

greek ordono <grexk@yahoo.com> writes:

> Hello,                                                                    
                                                     
>                                                                           
                                                     
> I've changed my acl like this:                                        
                                                      
   
> access to
attrs=userPassword,shadowLastChange,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange
               
>         by dn="cn=nssldap,ou=DSA,dc=moldex,dc=group" write      
                                                               
>         by anonymous auth                                                 
                                                     
>         by self write                                                     
                                                     
>                                                                           
                                                     
> access to *                                                               
                                                     
>         by self write                                                     
                                   
                  
>         by * read                                                         
                                                     
>                                                                           
                                                     
                                            
> <= acl_mask: [3] applying auth(=xd) (stop)                             
                                                        
> <= acl_mask: [3] mask: auth(=xd)                                       
                                                        
> => slap_access_allowed: read access denied by auth(=xd)                
                                                        
> => access_allowed: no more rules                                       
                                                        

The answer is obvious, your rule "by
 anonymous auth" is applied.
You should prabably read
http://www.openldap.org/faq/data/cache/189.html
in order to design access rules

-Dieter

-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6