[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Building openldap with overlays

>-----Original Message-----
>From: Howard Chu [mailto:hyc@symas.com] 
>Ah, right.

>You cannot build the module in HEAD and use it with 2.2.18. You must
copy the ppolicy.c >source to the 2.2.18 build tree and build it there.

Right, thanks.  That works now, and all the tests are okay.  Hurrah!

However I now have one (hopefully) small issue with access controls...

If I use the ldappasswd command to update a users password it works fine
if I bind as the rootdn, but refuses to work if I bind as the user
themselves, i.e.

ldappasswd -Z -x -D "uid=user,ou=People,dc=example,dc=com" -w oldpw -a
oldpw -s newpw 

I get
Result: Insufficient access (50)

Looking at the logs I can see (trimmed)
acl_mask: access to entry "uid=user,ou=People,dc=example,dc=com", attr
"pwdChangedTime" requested
access_allowed: write access denied by read(=rscx)

Now this is clearly because my slapd.conf only allows 'self write'
access to userPassword, whereas the test slapd.conf allows 'access to *
by self write'.  
pwdChangedTime is an operational attribute, so I don't seem to be able
to set ACL's on it in slapd.conf (other than with a wildcard).  Also I
would have thought that it is not desirable to give a user write access
to the password expiry control information in their own account(?)



BMRB International 
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the 
recipient and may contain confidential and/or privileged 
material.  If you have received this in error, please contact the 
sender and delete this message immediately.  Disclosure, copying 
or other action taken in respect of this email or in 
reliance on it is prohibited.  BMRB International Limited 
accepts no liability in relation to any personal emails, or 
content of any email which does not directly relate to our 
business.