[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP Group ACL


I'll appreciate it if any of you are willing to take time and share with me your experience with OpenLDAP running on a RedHat server configured with group ACL.


I'm trying to grant a group of people (including myself) the permission to change user LDAP passwords. However, when I try to change a user's LDAP password, I received the following message:


Result: Insufficient access (50)


The command that I used was:


ldappasswd -x -W -D "uid=l_luke,ou=Netgroup,dc=mydomain,dc=com" -S "uid=w_smith,ou=People,dc=mydomain,dc=com"


My ACL settings in the slapd.conf file are:


access to attr=userPassword

        by self write

        by anonymous auth

        by group.exact="cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com" write

        by * none

access to *

        by self write

        by group.exact="cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com" write

        by * read


My netgroup has been defined as the following:


dn: cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com

objectClass: nisNetgroup

objectClass: top

cn: ITgroup

nisNetgroupTriple: (,l_luke,mydomain.com)

nisNetgroupTriple: (,w_smith,mydomain.com)

nisNetgroupTriple: (,g_baker,mydomain.com)

description: Password Keepers


My user entry is:


# l_luke, People mydomain.com

dn: uid=l_luke,ou=People,dc=mydomain,dc=com

uid: l_luke

cn: l_luke

objectClass: account

objectClass: posixAccount

objectClass: top

objectClass: shadowAccount

shadowLastChange: 13958

shadowMax: 99999

shadowWarning: 7

loginShell: /bin/bash

uidNumber: 10005

gidNumber: 10005

homeDirectory: /home/l_luke

gecos: Luke Lee


Can anyone point me to the right direction or share with me the correct group ACL settings that you have? Thanks!

Looking for last minute shopping deals? Find them fast with Yahoo! Search.