Hi List,
I'm new to openldap and I'm having trouble getting even the most
simple access controls to work.
I have an openldap (2.2.27) server set up (on RH9) and a client (FC3)
set up to authenticate using the ldap. I have created a test user
named testguy.
With the default acls ("access to * by * read") my testguy can
authenticate, but cannot change his password. This is exactly what I
expect.
If I change it to "access to * by * write" then testguy can change his
password with no trouble. Again, exactly what I expect (though it's
not a smart policy).
But if I change the acl to almost anything else, testguy either loses
the ability to authenticate or loses the ability to change password.
For example, here's a rule (still very simple):
access to *
by self write
by * read
I believe this should allow testguy to authenticate due to the "by *
read" line, and change password due to the "by self write" line. But
nope. Testguy can still authenticate, but an attempt to change
password gets:
LDAP Password incorrect: try again
The above is using the passwd command. Just to try something else, I
tried using ldappasswd instead, I get:
>ldappasswd -WS -x -v "uid=testguy,ou=people,dc=tcl,dc=com"
ldap_bind: Invalid credentials (49)
As a sanity check, I try the same thing but bind as rootdn instead. It works:
>ldappasswd -WS -x -v -D "cn=manager,dc=tcl,dc=com"
"uid=testguy,ou=People,dc=tcl,dc=com"
...
Result: Success (0)
This is pretty basic stuff so I assume I've got something set up
wrong. But what? What am I missing here? Any clues where to look would
be great.
Thanks,
Darcy
