[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldappasswd needing write access to entry


I just set up OpenLDAP 2.0.0 and configured it like this:

defaultaccess: none

access to 
dn="cn=.*,o=org,c=de" filter=(objectClass=person) attr=userPassword
    by dn="cn=Manager,o=org,c=de" sockurl="ldaps://.*" write
    by self sockurl="ldaps://.*" =w
    by * sockurl="ldaps://.*" =x

access to 
dn="cn=.*,o=org,c=de" filter=(objectClass=person) attr=entry,objectClass,cn
    by dn="cn=Manager,o=org,c=de" sockurl="ldaps://.*" write
    by * read

When I set the password using something like

ldapmodify -r -Dcn=user,o=org,c=de -W -f a -H ldaps://server:636/

where a contains

dn: cn=user,o=org,c=de
userPassword: <ssha'd pw>

everything works great. But if I try to change the password using
ldappasswd I get

Result: Insufficient access (50)
Additional info: access to authorization entry denied

I ran slapd with -d129 and saw that the password change extop requests
write access to "entry" and doesn't get it due to my configuration. If I
give it write access to the entry everything works great. But I don't want
to do so for production since I don't know what a user with write access
to her entry might additionally be allowed to do with it.

So my question is: Why does ldappasswd need write access to the user's
entry while ldapmodify doesn't? Any help is grealty appreciated!
bye, Micha