I also modified my ACL in the slapd.conf:
access to attr=userPassword
by self write
by anonymous auth
by group/groupOfNames/member="cn=pwmanager,ou=Group,dc=mydomain,dc=com" write
by * none
access to *
by self write
by group/groupOfNames/member="cn=pwmanager,ou=Group,dc=mydomain,dc=com" write
by * read
I used the same command trying to change the user's password but received the exact same error. Would you please help? You mentioned that the nisNetgroup object doesn't fit in the ACL configuration in your previous reply. I had defined netgroups looked like the following:
dn: cn=Sales,ou=Netgroup,dc=mydomain,dc=com
objectClass: nisNetgroup
objectClass: top
cn: Sales
nisNetgroupTriple: (,c_parks,mydomain.com)
nisNetgroupTriple: (,j_berryhill,mydomain.com)
nisNetgroupTriple: (,b_chen,mydomain.com)
Would there be a way for me to use the netgroup and its members for any ACL type of access?
Your help will be highly appreciated!
----- Original Message ----
From: Pierangelo Masarati <ando@sys-net.it>
To: Luke Lee <leeluke77@yahoo.com>
Cc: openldap-technical@openldap.org
Sent: Thursday, March 27, 2008 12:35:16 PM
Subject: Re: OpenLDAP Group ACL
Hello,
I'll appreciate it if any of you are willing to take time and share with
me your experience with OpenLDAP running on a RedHat server configured
with group ACL.
I'm trying to grant a group of people (including myself) the permission to
change user LDAP passwords. However, when I try to change a user's LDAP
password, I received the following message:
Result: Insufficient access (50)
The command that I used was:
ldappasswd -x -W -D "uid=l_luke,ou=Netgroup,dc=mydomain,dc=com" -S
"uid=w_smith,ou=People,dc=mydomain,dc=com"
My ACL settings in the slapd.conf file are:
access to attr=userPassword
by self write
by anonymous auth
by group.exact="cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com" write
by * none
access to *
by self write
by group.exact="cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com" write
by * read
My netgroup has been defined as the following:
dn: cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com
objectClass: nisNetgroup
objectClass: top
cn: ITgroup
nisNetgroupTriple: (,l_luke,mydomain.com)
nisNetgroupTriple: (,w_smith,mydomain.com)
nisNetgroupTriple: (,g_baker,mydomain.com)
description: Password Keepers
My user entry is:
# l_luke, People mydomain.com
dn: uid=l_luke,ou=People,dc=mydomain,dc=com
uid: l_luke
cn: l_luke
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 13958
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 10005
gidNumber: 10005
homeDirectory: /home/l_luke
gecos: Luke Lee
Can anyone point me to the right direction or share with me the correct
group ACL settings that you have? Thanks!
As indicated in slapd.access(5), the member attribute must have either
distinguishedName syntax (or nameAndOptionalUID syntax) or be derivated
from memberURL; it defaults to "member". It appears from your message
that you expect "nisNetgroupTriple" to be used as member attribute, but
you should specify that attribute in the ACL clause. However,
"nisNetgroupTriple" wouldn't be allowed since it doesn't comply with the
above restrictions. You need to use LDAP groups for access control;
nisNetGroup objects don't fit.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati@sys-net.it
---------------------------------------
____________________________________________________________________________________
Looking for last minute shopping deals?
Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping