[Date Prev][Date Next]
Re: entry modify failed while trying to change user password
At 06:33 PM 7/26/2005, Quanah Gibson-Mount wrote:
>--On Tuesday, July 26, 2005 3:09 PM +0200 Pierangelo Masarati <firstname.lastname@example.org> wrote:
>>>Hello, I am having some problems with users being able to change their
>>>own passwords on the LDAP server. The result comes back with
>>>"implementation specific error 80" so I assume this means I setup
>>>something incorrectly, but I don't know what. Below is the error, below
>>>that is the security section of my slapd.conf file.
>>>ldappasswd -xSWD "uid=kris,ou=people,dc=xxxxxxxx,dc=com"
>>>Re-enter new password:
>>>Enter LDAP Password:
>>>Result: Internal (implementation specific) error (80)
>>>Additional info: entry modify failed
>>"80" means that something so weird happened that there's no standard code
>>to indicate it. As such, it might be useful to see what's going on on the
>>server side, starting from: version, slapd.conf and logs when the problem
>>><slapd.conf security section>
>>>access to *
>>> by * read
>>>access to attrs=userPassword
>>> by self write
>>> by * auth
>>This looks correct.
>Actually, I have a question about this. Since access to * by * read comes first, won't the second ACL never be evaluated? My understanding of OpenLDAP ACL's is they stop at the first matching ACL that gives any sort of access (unless there is a by * break in there). And besides, isn't this ACL particularly insecure, in that it would allow anyone to read anyone elses password? I would expect that these two ACL's should be reversed.
The second access statement is ignored as the first catches all targets.
>Principal Software Developer
>GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
>"These censorship operations against schools and libraries are stronger
>than ever in the present religio-political climate. They often focus on
>fantasy and sf books, which foster that deadly enemy to bigotry and blind
>faith, the imagination." -- Ursula K. Le Guin