[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Problem

Hi


here is my command 

ldappasswd -h localhost -D "mail=edergi@.....mail.......edu.tr,ou=SOME_UNIT,jvd=.....mail........edu.tr,o=hosting,dc=myhosting,dc=example" -w 123456 -a 123456 -s somepassowrd
Result: Insufficient access (50)

AND debug output

(by the way how can i sure my regex match my entry, are the usefull regex tool for check this.)
i chenged my regex with dn.regex=".*,jvd=([^,]+),o=hosting,dc=myhosting,dc=example"

thanks 

-----------------------------------------------------------------------------------------------------------------------------
conn=1000 op=1 PASSMOD old new
bdb_dn2entry("mail=edergi@.......mail.........edu.tr,ou=SOME_UNIT,jvd=.......mail.........edu.tr,o=hosting,dc=myhosting,dc=example")
=> bdb_entry_get: ndn: "mail=edergi@.......mail.........edu.tr,ou=SOME_UNIT,jvd=.......mail.........edu.tr,o=hosting,dc=myhosting,dc=example"
=> bdb_entry_get: oc: "(null)", at: "userPassword"
bdb_dn2entry("mail=edergi@.......mail.........edu.tr,ou=SOME_UNIT,jvd=.......mail.........edu.tr,o=hosting,dc=myhosting,dc=example")
=> bdb_entry_get: found entry: "mail=edergi@.......mail.........edu.tr,ou=SOME_UNIT,jvd=.......mail.........edu.tr,o=hosting,dc=myhosting,dc=example"
bdb_entry_get: rc=0
=> access_allowed: result not in cache (userPassword)
=> access_allowed: auth access to "mail=edergi@.......mail.........edu.tr,ou=SOME_UNIT,jvd=.......mail.........edu.tr,o=hosting,dc=myhosting,dc=example" "userPassword" requested
=> slap_access_allowed: backend default auth access granted to "mail=edergi@.......mail.........edu.tr,ou=SOME_UNIT,jvd=.......mail.........edu.tr,o=hosting,dc=myhosting,dc=example"
=> access_allowed: auth access granted by read(=rscxd)
=> bdb_entry_get: ndn: "mail=edergi@.......mail.........edu.tr,ou=SOME_UNIT,jvd=.......mail.........edu.tr,o=hosting,dc=myhosting,dc=example"
=> bdb_entry_get: oc: "(null)", at: "(null)"
bdb_dn2entry("mail=edergi@.......mail.........edu.tr,ou=SOME_UNIT,jvd=.......mail.........edu.tr,o=hosting,dc=myhosting,dc=example")
=> bdb_entry_get: found entry: "mail=edergi@.......mail.........edu.tr,ou=SOME_UNIT,jvd=.......mail.........edu.tr,o=hosting,dc=myhosting,dc=example"
bdb_entry_get: rc=0
=> bdb_entry_get: ndn: "cn=default,ou=policies,dc=myhosting,dc=example"
=> bdb_entry_get: oc: "(null)", at: "(null)"
bdb_dn2entry("cn=default,ou=policies,dc=myhosting,dc=example")
=> bdb_entry_get: found entry: "cn=default,ou=policies,dc=myhosting,dc=example"
bdb_entry_get: rc=0
bdb_modify: mail=edergi@.......mail.........edu.tr,ou=SOME_UNIT,jvd=.......mail.........edu.tr,o=hosting,dc=myhosting,dc=example
slap_queue_csn: queing 0x7f31f34201d0 20111220095453.284620Z#000000#000#000000
bdb_dn2entry("mail=edergi@.......mail.........edu.tr,ou=SOME_UNIT,jvd=.......mail.........edu.tr,o=hosting,dc=myhosting,dc=example")
bdb_modify_internal: 0x00000015: mail=edergi@.......mail.........edu.tr,ou=SOME_UNIT,jvd=.......mail.........edu.tr,o=hosting,dc=myhosting,dc=example
=> access_allowed: backend default write access denied to "mail=edergi@.......mail.........edu.tr,ou=SOME_UNIT,jvd=.......mail.........edu.tr,o=hosting,dc=myhosting,dc=example"
bdb_modify: modify failed (50)
send_ldap_result: conn=1000 op=1 p=3
------------------------------------------------------------END ---------------------------------

On Tue, Dec 20, 2011 at 11:34 AM, Buchan Milne <bgmilne@staff.telkomsa.net> wrote:
On Tuesday, 20 December 2011 10:55:12 Selcuk Yazar wrote:
> Hi,
>
> I want to ldap users to change their password.
>
> sample user dn is
> mail=edergi@.....mail......edu.tr<http://193.255.140.119/phpldapadmin/htdoc
> s/cmd.php?cmd=template_engine&server_id=1&dn=mail%3Dedergi%40trakyamail.tra
> kya.edu.tr%2Cou%3DKURUMSAL_SISTEMSEL%2Cjvd%3Dtrakyamail.trakya.edu.tr%2Co%3
> Dhosting%2Cdc%3Dmyhosting%2Cdc%3Dexample>
> ,ou=<http://193.255.140.119/phpldapadmin/htdocs/cmd.php?cmd=template_engin
> e&server_id=1&dn=ou%3DKURUMSAL_SISTEMSEL%2Cjvd%3Dtrakyamail.trakya.edu.tr%2
> Co%3Dhosting%2Cdc%3Dmyhosting%2Cdc%3Dexample>
> SOME_UNIT,jvd=.....mail.......edu.tr<http://193.255.140.119/phpldapadmin/h
> tdocs/cmd.php?cmd=template_engine&server_id=1&dn=jvd%3Dtrakyamail.trakya.ed
> u.tr%2Co%3Dhosting%2Cdc%3Dmyhosting%2Cdc%3Dexample>
> ,o=hosting<http://193.255.140.119/phpldapadmin/htdocs/cmd.php?cmd=template
> _engine&server_id=1&dn=o%3Dhosting%2Cdc%3Dmyhosting%2Cdc%3Dexample>
>
> and we have acl rules in slapd.conf
>
> access to dn.regex=".*,ou=.*,jvd=([^,]+),o=hosting,dc=myhosting,dc=example"
>         attrs=userPassword
>         by self write
>         by
> group/jammPostmaster/roleOccupant.expand="cn=postmaster,jvd=$1,o=hosting,dc
> =myhosting,dc=example" write
>         by * auth
>         by * none
>
> access to dn.regex=".*jvd=([^,]+),o=hosting,dc=myhosting,dc=example"
>         by self write
>         by
> group/jammPostmaster/roleOccupant.expand="cn=postmaster,jvd=$1,o=hosting,dc
> =myhosting,dc=example" write
>         by * read
>
> access to *
>         by * read
>
> i apply  various rules from openldap documentation, but no one works.

It is not clear whether your 'sample user dn' matches the regex in your first
rule.

Why don't you provide a password changing attempt, done with 'ldappasswd',
showing the full commandline, and all output.

> why
> users can't chage their password ?

If you had provided the error code, we could have been relatively sure, but I
will guess they don't have sufficient access because your regex isn't
matching.

Regards,
Buchan



--
Selçuk YAZAR
http://www.selcukyazar.blogspot.com