[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Insufficient acces in some cases

To: Clément OUDOT <clement.oudot@worteks.com>
Subject: Re: Insufficient acces in some cases
From: Ervin Hegedüs <airween@gmail.com>
Date: Wed, 19 Sep 2018 10:04:17 +0200
Cc: openldap-technical@openldap.org
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=HRej17MMmKCYUTEEF3XohIE499jZihxcgooZ/4AYEEc=; b=KbFeSjuC3YogW/i6cq9Ko6waLjKp1waXx3UlrkpoLomAxRlUqe4RQaaSzkWU8Il4c4 /Pc8qwOmXa434pFzL+VYvSewt3tksfEHaPaOFQa8OFhbgOVO5fsoze9i/djw7bwcNOht LrjD/7ECmlDN8BNXX4MIrSR/51g3VYekiN0dERWcNwuS6aUk5ezeh5P4ZdGsAwTZ8gN6 +d2F/tNQYmPjn5mKW2uESE/ncMSvBhUXafCevRUm++pjfIEoevbTs5kK9JOoKRXm7s/K H17WPAmoI4eGKeXEgdpcOQHIbTvO6ALvTurRcd+JIKAJDqZGYxio++MIXQssDUEjpxDE 1+Fw==
In-reply-to: <5406100b-5729-3f39-f4e7-6f740161ae0d@worteks.com>
References: <20180918161109.GA28878@arxnet.hu> <fd4e62f0-9f5d-b746-41a5-0cc35b840765@worteks.com> <20180918202322.GA6367@arxnet.hu> <389747f7-7c39-c75e-46aa-3707f0c565b5@worteks.com> <20180918211023.GA15775@arxnet.hu> <5406100b-5729-3f39-f4e7-6f740161ae0d@worteks.com>
User-agent: Mutt/1.5.24 (2015-08-30)

Hi,

On Tue, Sep 18, 2018 at 11:21:07PM +0200, Clément OUDOT wrote:
> 
> No, the olcAccess {3} deny all access inside dc=bigcompany,dc=hu, the
> rule {4} is never evaluated.

yep,

> > And as I wrote in first mail, the simple "ldapmodify" works as
> > well.
> 
> Do you test to modify only userPassword attribute? Or your modification
> is also on Samba attributes?

SMB attributes modification was denied when I tested today.

> > And more important, the other users under the same OU can change
> > their own userpassword/nt/lm password attributes through PHP.
> 
> I don't how, because your ACL allow only userPassword modification for
> 'self'.

so, you're right, Clément, and thanks for the clarification.

Our end customers desinformed me - today become clear that nobody
can modify their passwords (userPassword, NT/LM passwd) through
the webservice.

I've modified ACL rules, now it works as well - thanks again.

Anyway, it's very interesting, how and why slapd logs that
lines... they also misleaded me.

Thanks,

a.

References:
- Insufficient acces in some cases
  - From: Ervin Hegedüs <airween@gmail.com>
- Re: Insufficient acces in some cases
  - From: Clément OUDOT <clement.oudot@worteks.com>
- Re: Insufficient acces in some cases
  - From: Ervin Hegedüs <airween@gmail.com>
- Re: Insufficient acces in some cases
  - From: Clément OUDOT <clement.oudot@worteks.com>
- Re: Insufficient acces in some cases
  - From: Ervin Hegedüs <airween@gmail.com>
- Re: Insufficient acces in some cases
  - From: Clément OUDOT <clement.oudot@worteks.com>

Prev by Date: Re: Insufficient acces in some cases
Next by Date: Re: Worse search performance on a branch than at the tree base
Index(es):
- Chronological
- Thread