[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL problem
On Tue, 2005-11-01 at 22:00 +0800, Feifei Jia wrote:
> On 10/31/05, Samuel Tran <stran@amnh.org> wrote:
> >
> > Sorry I made a mistake; it should be $2 instead of $1 in the who clause:
> >
> > access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$"
> > by dn.one,expand="ou=Admin,dc=$2,dc=com" write
> >
> > Sam
> >
>
> Cool, that works, thanks.
>
> But there's a weird problem, the "userPassword" of entries in
> ou=People,dc=([^,]+),dc=com, either using my slapd admin account or
> entries in ou=Admin,dc=$2,dc=com was invaild. I could successfully add
> the "userPassword", but when I used the "Password" to auth (say,
> ldapsearch), "ldap_bind: Invalid credentials (49)" showed up.
>
> All the entries not in ou=People,dc=([^,]+),dc=com can auth well. I
> added a new rule and put it before "access to attrs=userPassword"
> (slapd.conf default ACL):
> access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$" attrs=userPassword
>
> Still the same :(
Please could you post all your ACL rules?
Try to add this rule before the other rule:
access to dn.regex="^(.+,)?ou=People,dc=([^,]+),dc=com$"
attrs=userPassword
by dn.one,expand="ou=Admin,dc=$2,dc=com" write
by self write
by anonymous auth
This will allow:
- the admins to modify userPassword
- the users to modify their own userPassword
- anonymous to authenticate
--
Sam