I did read, but slapd does it the wrong way.
My slapd.conf does contain following:
# forbid writing to userPassword for entries starting with {SASL}
access to attrs=userPassword val.regex=SASL}.*
by * auth stop
# allow writing to ldapclient and self, otherwise only auth
access to attrs=userPassword,userPKCS12,sambaNTPassword,sambaLMPassword
by dn=cn=ldapclient,dc=mydomain,dc=de write
by self write
by * auth
What I expect is that an entry with an existing userPasswd of
'{SASL}something' will not be writable by any user.
What I get is that the ldapclient and 'self' can write new userPasword
if the content of the *NEW* password does not contain {SASL}.
I don't understand how to get it working in my way.
Protocol:
-
Database has following entries (shortened):
dn: uid=frust,ou=People,dc=mydomain,dc=de
userPassword:: geheim
dn: uid=someone,ou=People,dc=mydomain,dc=de
userPassword:: {SASL}someone
Now try to change entries:
ldapmodify -x -v -D 'cn=ldapclient,dc=mydomain,dc=de' -W
dn: uid=someone,ou=People,dc=mydomain,dc=de
changetype: modify
replace: userPassword
userPassword: newpass
-
Enter LDAP Password:
replace userPassword:
newpass
modifying entry uid=someone,ou=People,dc=mydomain,dc=de
modify complete
ldapmodify -x -v -D 'cn=ldapclient,dc=mydomain,dc=de' -W
dn: uid=frust,ou=People,dc=mydomain,dc=de
changetype: modify
replace: userPassword
userPassword: {SASL}abc
-
Enter LDAP Password:
replace userPassword:
{SASL}abc
modifying entry uid=frust,ou=People,dc=mydomain,dc=de
ldap_modify: Insufficient access (50)
Am Freitag, den 26.11.2010, 05:09 -0800 schrieb Howard Chu:
Frank Rust wrote:
Hi all,
would it be possible to configure a content-based access control?
Yes. Read the slapd.access(5) manpage.
I have following configuration: my ldap contains user data.
Some of the users are local ones and have a regular password entry.
They shall be able to change their password.
Other users are remotely authenticated with saslauthd.
They shall not be able to change their 'password' which is just a
redirection.