'[ldap] Re: ACL issues Insufficient access (50)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ldap
Subject:    [ldap] Re: ACL issues Insufficient access (50)
From:       Andrew Findlay <andrew.findlay () skills-1st ! co ! uk>
Date:       2013-01-21 20:11:54
Message-ID: 20130121201154.GI30531 () slab ! skills-1st ! co ! uk
[Download RAW message or body]

On Mon, Jan 21, 2013 at 09:57:48AM -0300, Net Warrior wrote:

> To: ldap@umich.edu

As this is an OpenLDAP-specific question you would probably do
better to ask on openldap-technical@openldap.org

> Subject: [ldap] ACL issues Insufficient access (50)

> I'm facing a problem with my acl, basically I want my users be able to
> change their password,  but I always get
> New password:
> Re-enter new password:
> ldap_initialize(ldap://ldapserver  )
> Enter LDAP Password:
> Result: Insufficient access (50)

What is the command-line that you used there?

> >From the logs
> access_allowed: backend default write access denied to userxxxx
> 
> Reading some posts, someone suggested to add olcAccess: {0} to * by *
> write to the ACL, which I tested bu with no luck, I'm just using
> simple
> authentication, no ssl or that king of stuff.

That sounds like a very unwise ACI to add! If in the right
place it allows everyone (including Anon users) to read
and write everything.

> dn: olcDatabase={0}config
> objectClass: olcDatabaseConfig
> olcDatabase: {0}config
> olcAccess: {0} to * by * write

You seem to be adding this to the config database itself. Surely if
you want people to change their own passwords you should be
adding ACLs to the database that contains the user entries. The
DN will be something like:

	olcDatabase={1}hdb

> I'm trying to change the password locally from the ldap server itself,
> from the client doesn't work either, I'm using nslcd.conf and I'm not
> allowing anon logins, but it seems
> that by default in some place it' allowing it.

Start with getting the LDAP access right using just OpenLDAP
clients (ldapwhoami, ldapsearch, etc). Once that is set up you
can progress to nslcd.

Have a look at the Admin Guide:

http://www.openldap.org/doc/admin24/slapdconf2.html#Configuration%20Example

Lines 29-49 of the example show the sort of thing you want.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic