[Date Prev][Date Next] [Chronological] [Thread] [Top]

passwd fails

To: openldap-technical@openldap.org
Subject: passwd fails
From: Holger Schier <hschier@mathematik.uni-mainz.de>
Date: Thu, 02 Dec 2010 15:26:47 +0100
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.1.15) Gecko/20101026 SUSE/3.0.10 Lightning/1.0b1 Thunderbird/3.0.10

Hi guys,

my ldapserver works fine now, but the first users are arriving.
The normal user should change their own password. So, everyone thinks of
passwd in the shell.

But:
LDAP password information update failed: Insufficient access
Must supply old password to be changed as well as new one

Here is my ACL:

olcAccess: {0} to
attrs=pwdChangedTime,pwdAccountLockedTime,pwdFailureTime,pwdH
 istory,pwdGraceUseTime,pwdReset
by * none

olcAccess: {1}to attrs=userPassword
by self write
by * auth

olcAccess: {2}to attrs=shadowLastChange
by self write
by dn.base="cn=BINDUSER,dc=MY,dc=DC" read
by users read
by * auth

olcAccess: {3}to attrs=userPKCS12
by self read
by * none

olcAccess: {4}to *
by dn.base="cn=BINDUSER,dc=MY,dc=DC" read
by * none

I tried the same with
olcAccess: {4}to *
by * read

and allowing anonymous binds, but same error.
passwd seems to try to bind with the binduser and then to read and to
write the userPassword, but only has auth access.

Has anyone an idea how to enable this?

Thanks a lot.
Holger

Follow-Ups:
- Re: passwd fails
  - From: Benjamin Griese <der.darude@gmail.com>
- Re: passwd fails
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

Prev by Date: Re: OpenLDAP on T2000
Next by Date: Re: Programmatically creating users
Index(es):
- Chronological
- Thread