[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#8775) PASSMOD exop fails with RWM and tight ACLs
Full_Name: Thomas Quinot
Version: slapd 2.X (Nov 22 2017 11:39:03)
OS: Linux
URL: ftp://ftp.openldap.org/incoming/quinot-171122.diff
Submission from: (NULL) (2a02:2ab8:224:1:36e6:d7ff:fe09:66dd)
If a tight ACL is globally defined for userPassword:
access to attrs=userPassword
by dn="cn=Manager,o=Local" write
by self write
by anonymous auth
and there is a virtual naming context implemented using a relay backend with rwm
overlay:
database @BACKEND@
suffix "dc=example,dc=com"
[...]
database relay
suffix o=OtherExample,c=US
relay dc=example,dc=com
overlay rwm
rwm-suffixmassage "dc=example,dc=com"
then an end-user's attempt to update her own password will fail with:
err=53 text=unwilling to verify old password
because at some point we attempt to apply the above ACL to the original
(virtual) DN, but considering the resolved (real) DN for the user:
5a1553ea => acl_mask: access to entry "cn=Ursula Hampster,ou=Alumni
Association,ou=People,o=OtherExample,c=US", attr "userPassword" requested
5a1553ea => acl_mask: to value by "cn=ursula hampster,ou=alumni
association,ou=people,dc=example,dc=com", (=0)