[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Issue while changing user password by self



My users are allowed to modify their own passwords.  My ACL is set like this:


olcAccess:           {0} to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn.exact=”cn=admin,dc=group,dc=ldap” write by * none

olcAccess:           {1} to * by * read


Though not the perfect configuration but it works.   In yours, I don’t see the userPassword attribute.




John D. Borresen (Dave)

Email: john.borresen@ll.mit.edu


From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Rajagopal Rc
Sent: Wednesday, December 23, 2015 2:04 AM
To: openldap-technical@openldap.org
Subject: Issue while changing user password by self



I am trying to allow users to change their own passwords

        OS                        RHEL7
        Openldap version         2.4.39-7.el7_1.x86_64

ACL in slapd.conf
        disallow bind_anon

access to attrs=userPassword
       by self write
       by dn.base="cn=mirrormode,dc=rnd,dc=com" read
       by dn.base="cn=binduser,dc=rnd,dc=com" read
       by * auth

access to *
       by dn.base="cn=mirrormode,dc=rnd,dc=com" read
       by dn.base="cn=binduser,dc=rnd,dc=com" read
       by * break

access to *
       by dn="cn=Manager,dc=rnd,dc=com"
       by users read
       by self write
       by * auth

from client machine 'user5' is trying to change own password and getting following error

$ ldappasswd -H ldaps://ldapdev.rnd.com:636 -x -D "cn=user 5,ou=people,dc=rnd,dc=com" -W -A  -S
Old password:
Re-enter old password:
New password:
Re-enter new password:
Enter LDAP Password:
Result: Insufficient access (50)
Additional info: User alteration of password is not allowed

This error looks like issue with permissions, yet i have already allowed access to attrs=userPassword by self write in slapd.conf, please let me know if there is any thing wrong in above ACL and why i am getting this error

Thanks & Regards

Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you

Attachment: smime.p7s
Description: S/MIME cryptographic signature