Re: can't chang ldap user passwd by self

[Dan White <dwhite@cafedemocracy.org>]

On 04/12/15 22:56 +0800, feora wrote:
> I found log in ldap.log file
>
> Apr 12 14:20:54 abc slapd[3136]: => access_allowed: auth access to 
> "uid=bobliu,ou=it,dc=abc,dc=com" "userPassword" requested
> Apr 12 14:20:54 abc slapd[3136]: => slap_access_allowed: backend 
> default auth access granted to "(anonymous)"
> Apr 12 14:20:54 abc slapd[3136]: => access_allowed: auth access 
> granted by read(=rscxd)
> Apr 12 14:20:54 abc slapd[3136]: => access_allowed: backend default 
> write access denied to "uid=bobliu,ou=it,dc=abc,dc=com"
>
> why access granted to anoymous not  bobliu.
>
>
> On 04/12/2015 10:05 PM, feora wrote:
> >  hi, Dan
> >       thanks for u answer.
> >    I still a little confused about it.
> >   I run the following command
> >    /opt/openldap/bin/ldappasswd -x -D 
> > "uid=bobliu,ou=it,dc=abc,dc=com" -W -S
> > New password:
> > Re-enter new password:
> > Enter LDAP Password:
> > Result: Insufficient access (50)
> >
> >    when I run ldapsearch is ok.
> >
> > userPassword:: <removed>

Be aware that your ssha password hash is know publicly known.

The above would indicate that you *are* successfully authenticating, since
the userPassword attribute was returned. That's assuming that your ACL
config below is accurate.

> > On 04/02/2015 01:40 AM, Dan White wrote:
> > > On 03/31/15 17:47 +0800, rockwang wrote:
> > > > access to attrs=userPassword
> > > > by self write
> > > > by anonymous auth
> > > > by dn.base="cn=Manager,dc=abc,dc=com"
> > > > by *  none

This config block has been through the wringer, but verify user
userPassword ACL config. Something's up. Run slaptest on your config to
verify and verify it's formatted properly.

> > > > access to *
> > > >             by self write
> > > >             by dn.base="cn=Manager,dc=abc,dc=com"
> > > >             by * read
> > > >             by * none

--
Dan White