Re: password change does not work: LDAP, sssd, nss or pam error?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 2010-10-09 at 09:53 +0200, Volker Potworowski wrote:

> access to *
>         by dn.exact="cn=root,dc=teraphim,dc=de" read
>         by * none
> access to attrs=userPassword
>         by dn.base="cn=Manager,dc=teraphim,dc=de" write
>         by anonymous auth
>         by self write
>         by * none
> access to attrs=shadowLastChange
>         by self write
>         by * read
> access to *
>         by self write
>         by * read
----
these ACL's are not good. ACL's are parsed from top to bottom and once a
controlling rule is hit, the rest is ignored. That means unless you are
binding as rootbinddn or 'cn=root,dc=teraphim,dc=de' (which I guess IS
rootbinddn) then you are locked out - period. Suggest that you change
them to something like this...

access to attrs=userPassword
        by dn.base="cn=Manager,dc=teraphim,dc=de" write
        by anonymous auth
        by self write
        by * none
# I'd probably at least comment this one out for now and I'm still
# not sure why you really care about this rule anyway
access to attrs=shadowLastChange
        by anonymous auth
        by self write
        by * read
# you're going to have to adjust this next rule to match 
# the setup of your DSA
access to dn.regex="^uid=([^,]+)ou=People,dc=teraphim,dc=de$$"
        by self read
        by dn.exact="cn=Manager,dc=teraphim,dc=de" write write
        by anonymous auth
        by * none
access to *
        by anonymous auth
        by self write
        by * read

and I'm presuming that "cn=root,dc=teraphim,dc=de" is the rootbinddn in
which case any entries in ACL's are meaningless since rootbinddn is by
design permitted to do anything.

Craig



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux