[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs and password policies



The problem, despite return of insufficientAccessRights
result code, appears (by my quick examination of the
overlay code) to have nothing to do with access controls.
It appears that an administrative policy was not adhered to.
In particular, as indicated by the additional text provided
with the result code, the client did not provide the old
password.

You should be able to duplicate this behavior using
ldappasswd(1).

You likely should consult the documentation of the LDAP
client software you are using to not only determine its
capabilities, but how to make use of those capabilities.
(Please use PADL-provided mailing lists to discuss issues
specific to PADL software.)

-- Kurt


At 01:27 PM 5/1/2006, Roy Ledochowski wrote:
>Hi All--
>
>I just recently implemented the ppolicy module and now my users can't 
>change their passwords using the 'passwd' utility.  I see the following 
>error in syslog (linux):
>
>pam_ldap: ldap_extended_operation_s Insufficient access
>
>Passwd returns the following:
>
>[root@wpclab-pdc prd]# passwd tester
>Changing password for user tester.
>New password: 
>Retype new password: 
>LDAP password information update failed: Unknown error
>Must supply old password to be changed as well as new one
>passwd: Permission denied
>
>
>I'm using PADL's nss_ldap and pam_ldap.  If I bind as manager, passwd 
>works correctly.  If I bind has my proxy user, I get the above errors.  I 
>realize this is most likely an ACL problem, so here's the relevant part of 
>my ACL file:
>
>access to 
>attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPasswordHistory,shadowLastChange,shadowMin,shadowMax,shadowWarning,shadowInactive,shadowExpire,shadowFlag,pwdChangedTime,pwdAccountLockedTime,pwdFailureTime,pwdHistory,pwdGraceUseTime,pwdReset
>        by dn="cn=ldap_repl,ou=DSA,dc=burlingame,dc=ibm,dc=com" write
>      by dn="cn=samba,ou=DSA,dc=burlingame,dc=ibm,dc=com" write
>      by dn="cn=smbldap-tools,ou=DSA,dc=burlingame,dc=ibm,dc=com" write
>      by dn="cn=nssldap,ou=DSA,dc=burlingame,dc=ibm,dc=com" write
>      by dn="cn=ldapux,ou=DSA,dc=burlingame,dc=ibm,dc=com" write
>      by dn="cn=solaris,ou=DSA,dc=burlingame,dc=ibm,dc=com" write
>      by self write
>        by * auth
>
>
>pam_ldap binds as nssldap.
>
>The ppolicy entries are world-readable, but not writable to the proxy user 
>because I could not see a need for it.
>
>Any help would be greatly appreciated
>
>thanks
>roy