RE: Simple ACL problem

[Darren Gamble <Darren.Gamble@sjrb.ca>]

Good day,

> | Good day,
> | 
> | I'm just trying to set up a simple ACL that lets users look 
> at their own
> | attributes, change their passwords, and not have access to 
> the LDAP tree
> | outside of the accounts subtree.
> 
> I only see write access to self with the password attr but they don't
> seem to have write access to the accounts tree.  The only 
> write access to
> the subtree seems to be the admin but I'm far from being an expert.


Yes, that's exactly what I have described and desired.  Again, the users are
only supposed to have write access to their own passwords.  They aren't
supposed to be able to change anything else.

The problem is that users CAN'T change their passwords, and I do not
understand why.



> Hope this helps,
> 
> ed
> 
> | 
> | The ACL works, except that for some reason users can't 
> modify their own
> | passwords (the admin user can, though), instead getting an 
> error 32 (no such
> | object).  As near as I can tell, the ACL _is_ set up 
> properly, according to
> | 5.3 in the 2.0 Admin Guide.
> | 
> | Does anyone see the error?  Using 2.0.27 on Red Hat 7.2 
> (we'll be upgrading
> | to 2.1.X in the near future).
> | 
> | 
> | access to attr=userPassword
> |         by dn="cn=admin,o=Shaw Cablesystems,c=CA" write
> |         by self write
> |         by * auth
> | 
> | access to dn.subtree="ou=Accounts,o=Shaw Cablesystems,c=CA"
> |         by dn="cn=admin,o=Shaw Cablesystems,c=CA" write
> |         by * read
> | 
> | access to *
> |         by dn="cn=admin,o=Shaw Cablesystems,c=CA" write
> |         by self read
> |         by * none
> | 
> | 
> | 
> | Thanks in advance,
> | 
> | ============================
> | Darren Gamble
> | Planner, Regional Services
> | Shaw Cablesystems GP
> | 630 - 3rd Avenue SW
> | Calgary, Alberta, Canada
> | T2P 4L4
> | (403) 781-4948
> | 
> | 
> 
> 
> -- 
> 
> 
> -------------------------------------------------
>