[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
slapd conf--password updates
OK, thanks for the help on my previous post. I now have the following
situation:
1. slapd runs and serves queries (ldapsearch and gq will both return valid
results)
2. I have PAM working with ldap and can login on workstations that don't
have a
local account for a given remote account (eg user sparty exists only on
server,
but I can login on workstations as sparty).
3. Users can change their own passwords.
4. Root cannot change anyone else's password.
(4) is the problem right now; it seems like it must be an ACL issue, since I
can't
even use gq to modify the userPassword field (I"m told I have insufficient
access),
despite having gq setup to connect as uid=root,ou=People,dc=smcvt,dc=edu (I
*think*...is there anything to confirm or deny this in the log below?) with
the
password provided in slapd.conf (and I can browse without error messages, so
I'm
guessing that the connection works). slapd.conf and log file excerpt below;
if
you want to see more log info, let me know what would help and I can get it.
slapd.conf:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/redhat/rfc822-MailMember.schema
include /etc/openldap/schema/redhat/autofs.schema
include /etc/openldap/schema/redhat/kerberosobject.schema
#######################################################################
# ldbm database definitions
#######################################################################
idletimeout 90
# 90-second idle timeout == forcible disconnect
threads 17
# maximum of 17 threads (shouldn't need more than 14 with
# 14 machines ,so 17 should be safe, right?)
defaultsearchbase "dc=smcvt,dc=edu"
database ldbm
suffix "dc=smcvt,dc=edu"
rootdn "uid=root,ou=People,dc=smcvt,dc=edu"
rootpw {crypt} [crypted password deleted]
directory /var/lib/ldap
# Indices to maintain
index objectClass,uid,uidNumber,gidNumber eq
index cn,mail,surname,givenname eq,subinitial
#loglevel 8+32+64+128+2048
#1 fxn calls
#2 debug packet handling
#4 heavy trace debugging
#8 connection mgmt
#16 print packets sent/rcvd
#32 search filter proc
#64 config file proc
#128 acl proc
#256 stats
#512 stats
#1024 print comm w/shell backends
#2048 entry parsing
loglevel 2290
# ACLs
access to dn=".*,ou=People,dc=smcvt,dc=edu"
attr=userPassword
by self write
by dn="uid=root,ou=People,dc=smcvt,dc=edu" write
by * auth
access to dn=".*,dc=smcvt,dc=edu"
by self write
by dn="uid=root,ou=People,dc=smcvt,dc=edu" write
by * read
access to dn=".*,dc=smcvt,dc=edu"
by * read
log results:
Sep 16 15:51:56 CeilidhRose slapd[24885]: => access_allowed: write access to
"cn=kbroderick,ou=Group,dc=smcvt,dc=edu" "userPassword" requested
Sep 16 15:51:56 CeilidhRose slapd[24885]: => dnpat: [1]
.*,ou=People,dc=smcvt,dc=edu nsub: 0
Sep 16 15:51:56 CeilidhRose slapd[24885]: => dnpat: [2] .*,dc=smcvt,dc=edu
nsub: 0
Sep 16 15:51:56 CeilidhRose slapd[24885]: => acl_get: [2] matched
Sep 16 15:51:56 CeilidhRose slapd[24885]: => acl_get: [2] check attr
userPassword
Sep 16 15:51:56 CeilidhRose slapd[24885]: <= acl_get: [2] acl
cn=kbroderick,ou=Group,dc=smcvt,dc=edu attr: userPassword
Sep 16 15:51:56 CeilidhRose slapd[24885]: => acl_mask: access to entry
"cn=kbroderick,ou=Group,dc=smcvt,dc=edu", attr "userPassword" requested
Sep 16 15:51:56 CeilidhRose slapd[24885]: => acl_mask: to all values by "",
(=n)
Sep 16 15:51:56 CeilidhRose slapd[24885]: <= check a_dn_pat: self
Sep 16 15:51:56 CeilidhRose slapd[24885]: <= check a_dn_pat:
uid=root,ou=People,dc=smcvt,dc=edu
Sep 16 15:51:56 CeilidhRose slapd[24885]: <= check a_dn_pat: *
Sep 16 15:51:56 CeilidhRose slapd[24885]: <= acl_mask: [3] applying read
(=rscx) (stop)
Sep 16 15:51:56 CeilidhRose slapd[24885]: <= acl_mask: [3] mask: read
(=rscx)
Sep 16 15:51:56 CeilidhRose slapd[24885]: => access_allowed: write access
denied by read (=rscx)