Kurt-- Yes, you are correct. I get the same behavior with ldappasswd. I'll post this to PADL's list & thank you for the reply.
roy "Kurt D. Zeilenga" <[EMAIL PROTECTED]> 05/01/2006 05:21 PM To Roy Ledochowski/Burlingame/[EMAIL PROTECTED] cc [email protected] Subject Re: ACLs and password policies The problem, despite return of insufficientAccessRights result code, appears (by my quick examination of the overlay code) to have nothing to do with access controls. It appears that an administrative policy was not adhered to. In particular, as indicated by the additional text provided with the result code, the client did not provide the old password. You should be able to duplicate this behavior using ldappasswd(1). You likely should consult the documentation of the LDAP client software you are using to not only determine its capabilities, but how to make use of those capabilities. (Please use PADL-provided mailing lists to discuss issues specific to PADL software.) -- Kurt At 01:27 PM 5/1/2006, Roy Ledochowski wrote: >Hi All-- > >I just recently implemented the ppolicy module and now my users can't >change their passwords using the 'passwd' utility. I see the following >error in syslog (linux): > >pam_ldap: ldap_extended_operation_s Insufficient access > >Passwd returns the following: > >[EMAIL PROTECTED] prd]# passwd tester >Changing password for user tester. >New password: >Retype new password: >LDAP password information update failed: Unknown error >Must supply old password to be changed as well as new one >passwd: Permission denied > > >I'm using PADL's nss_ldap and pam_ldap. If I bind as manager, passwd >works correctly. If I bind has my proxy user, I get the above errors. I >realize this is most likely an ACL problem, so here's the relevant part of >my ACL file: > >access to >attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange,sambaPasswordHistory,shadowLastChange,shadowMin,shadowMax,shadowWarning,shadowInactive,shadowExpire,shadowFlag,pwdChangedTime,pwdAccountLockedTime,pwdFailureTime,pwdHistory,pwdGraceUseTime,pwdReset > by dn="cn=ldap_repl,ou=DSA,dc=burlingame,dc=ibm,dc=com" write > by dn="cn=samba,ou=DSA,dc=burlingame,dc=ibm,dc=com" write > by dn="cn=smbldap-tools,ou=DSA,dc=burlingame,dc=ibm,dc=com" write > by dn="cn=nssldap,ou=DSA,dc=burlingame,dc=ibm,dc=com" write > by dn="cn=ldapux,ou=DSA,dc=burlingame,dc=ibm,dc=com" write > by dn="cn=solaris,ou=DSA,dc=burlingame,dc=ibm,dc=com" write > by self write > by * auth > > >pam_ldap binds as nssldap. > >The ppolicy entries are world-readable, but not writable to the proxy user >because I could not see a need for it. > >Any help would be greatly appreciated > >thanks >roy
