[Date Prev][Date Next]
Re: access permissions
--On Thursday, August 16, 2007 6:25 PM -0500 Adam Williams
Quanah Gibson-Mount wrote:
Well, in your above example here, ADAM binds as TESTUSER not as ADAM,
and so is able to change TESTUSERs password. I see no problem with
your ACLs, only your test. I.e., all you have proven is that testuser
can change their own password.
The correct test would be to do:
"uid=adam,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us" -w xxxxx -x
-v -f changepasswd.ldif
Yes, I think you are right, I don't have a configuration error, just a
logic problem in my head. I was just seeing if I could change testuser's
password with the same password testuser is already using. And adam and
testuser have the same password, which would make the ldapmodify command
succeed whether adam or testuser ran it. I'll try tomorrow with a
different password in changepasswd.ldif and see what happens. Thanks!
Um, you still missed my point.
The point here is, you become user "adam" to UNIX, but when you talk to the
ldap server, you talk to it as user "testuser". You need to talk to the
ldap server as "adam" for your test to be valid. As long as you use
"testuser" as your bind dn to the LDAP server, it will always be able to
change its own password.
Principal Software Engineer
Zimbra :: the leader in open source messaging and collaboration