[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Problem

To: openldap-technical@openldap.org
Subject: Re: ACL Problem
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Tue, 20 Dec 2011 11:34:51 +0200
Cc: Selcuk Yazar <selcuk.yazar@gmail.com>
In-reply-to: <CACBG-R0S-b-1kydp-fPmH29U6Tvyw5-HEKBrKARHE7+FRg1DLQ@mail.gmail.com>
References: <CACBG-R0S-b-1kydp-fPmH29U6Tvyw5-HEKBrKARHE7+FRg1DLQ@mail.gmail.com>
User-agent: KMail/1.13.7 (Linux/2.6.38.8-desktop-4.mga; KDE/4.6.5; x86_64; ; )

On Tuesday, 20 December 2011 10:55:12 Selcuk Yazar wrote:
> Hi,
> 
> I want to ldap users to change their password.
> 
> sample user dn is
> mail=edergi@.....mail......edu.tr<http://193.255.140.119/phpldapadmin/htdoc
> s/cmd.php?cmd=template_engine&server_id=1&dn=mail%3Dedergi%40trakyamail.tra
> kya.edu.tr%2Cou%3DKURUMSAL_SISTEMSEL%2Cjvd%3Dtrakyamail.trakya.edu.tr%2Co%3
> Dhosting%2Cdc%3Dmyhosting%2Cdc%3Dexample>
> ,ou=<http://193.255.140.119/phpldapadmin/htdocs/cmd.php?cmd=template_engin
> e&server_id=1&dn=ou%3DKURUMSAL_SISTEMSEL%2Cjvd%3Dtrakyamail.trakya.edu.tr%2
> Co%3Dhosting%2Cdc%3Dmyhosting%2Cdc%3Dexample>
> SOME_UNIT,jvd=.....mail.......edu.tr<http://193.255.140.119/phpldapadmin/h
> tdocs/cmd.php?cmd=template_engine&server_id=1&dn=jvd%3Dtrakyamail.trakya.ed
> u.tr%2Co%3Dhosting%2Cdc%3Dmyhosting%2Cdc%3Dexample>
> ,o=hosting<http://193.255.140.119/phpldapadmin/htdocs/cmd.php?cmd=template
> _engine&server_id=1&dn=o%3Dhosting%2Cdc%3Dmyhosting%2Cdc%3Dexample>
> 
> and we have acl rules in slapd.conf
> 
> access to dn.regex=".*,ou=.*,jvd=([^,]+),o=hosting,dc=myhosting,dc=example"
>         attrs=userPassword
>         by self write
>         by
> group/jammPostmaster/roleOccupant.expand="cn=postmaster,jvd=$1,o=hosting,dc
> =myhosting,dc=example" write
>         by * auth
>         by * none
> 
> access to dn.regex=".*jvd=([^,]+),o=hosting,dc=myhosting,dc=example"
>         by self write
>         by
> group/jammPostmaster/roleOccupant.expand="cn=postmaster,jvd=$1,o=hosting,dc
> =myhosting,dc=example" write
>         by * read
> 
> access to *
>         by * read
> 
> i apply  various rules from openldap documentation, but no one works.

It is not clear whether your 'sample user dn' matches the regex in your first 
rule.

Why don't you provide a password changing attempt, done with 'ldappasswd', 
showing the full commandline, and all output.

> why
> users can't chage their password ?

If you had provided the error code, we could have been relatively sure, but I 
will guess they don't have sufficient access because your regex isn't 
matching.

Regards,
Buchan

Follow-Ups:
- Re: ACL Problem
  - From: Selcuk Yazar <selcuk.yazar@gmail.com>

References:
- ACL Problem
  - From: Selcuk Yazar <selcuk.yazar@gmail.com>

Prev by Date: Re: ppolicy overlay
Next by Date: Re: ACL Problem
Index(es):
- Chronological
- Thread