[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldappasswd needing write access to entry

At 02:45 PM 9/5/00 +0200, Michael Weiser wrote:
>I ran slapd with -d129 and saw that the password change extop requests
>write access to "entry" and doesn't get it due to my configuration. If I
>give it write access to the entry everything works great.

For now, you should just move entry up to the first ACL.  It should
have no effect other than granting the desired access.

>But I don't want
>to do so for production since I don't know what a user with write access
>to her entry might additionally be allowed to do with it.

Entry grants access to the "entry" for search.  It *should not*
be required otherwise.  The bind "auth" and passwd-exop requirement
should be dropped.

>So my question is: Why does ldappasswd need write access to the user's
>entry while ldapmodify doesn't?

ldappasswd (passwd-exop) shouldn't.  It's a bug.