Am Wed, 22 Jan 2014 18:14:22 -0700 schrieb Joshua Schaeffer <jschaeffer0...@gmail.com>:
> Just now getting back to this. I ran the daemon in debug mode, then > ran the passwd utility on a different server for my uid (got the same > results as before and then terminated the daemon) and it output a lot > on the acl's. I attached the full log file. Below is the tail end of > the log: > > =================================================== > 52e068f8 <= acl_mask: [3] mask: read(=rscxd) > 52e068f8 => slap_access_allowed: read access granted by read(=rscxd) > 52e068f8 => access_allowed: read access granted by read(=rscxd) > 52e068f8 => access_allowed: result not in cache (userPassword) > 52e068f8 => access_allowed: read access to > "uid=jschaeffer,ou=People,dc=harmonywave,dc=com" "userPassword" > requested 52e068f8 => acl_get: [1] attr userPassword > 52e068f8 => acl_mask: access to entry > "uid=jschaeffer,ou=People,dc=harmonywave,dc=com", attr "userPassword" > requested > 52e068f8 => acl_mask: to value by "", (=0) > 52e068f8 <= check a_dn_pat: self > 52e068f8 <= check a_dn_pat: anonymous > 52e068f8 <= acl_mask: [2] applying auth(=xd) (stop) > 52e068f8 <= acl_mask: [2] mask: auth(=xd) > 52e068f8 => slap_access_allowed: read access denied by auth(=xd) > 52e068f8 => access_allowed: no more rules > 52e068f8 send_search_entry: conn 1000 access to attribute > userPassword, value #0 not allowed > 52e068fb => bdb_entry_get: found entry: > "uid=jschaeffer,ou=people,dc=harmonywave,dc=com" > 52e068fb => bdb_entry_get: found entry: > "cn=default,ou=policies,dc=harmonywave,dc=com" > 52e068fb => access_allowed: result not in cache (userPassword) > 52e068fb => access_allowed: auth access to > "uid=jschaeffer,ou=People,dc=harmonywave,dc=com" "userPassword" > requested 52e068fb => acl_get: [1] attr userPassword > 52e068fb => acl_mask: access to entry > "uid=jschaeffer,ou=People,dc=harmonywave,dc=com", attr "userPassword" > requested > 52e068fb => acl_mask: to value by "", (=0) > 52e068fb <= check a_dn_pat: self > 52e068fb <= check a_dn_pat: anonymous > 52e068fb <= acl_mask: [2] applying auth(=xd) (stop) > 52e068fb <= acl_mask: [2] mask: auth(=xd) > 52e068fb => slap_access_allowed: auth access granted by auth(=xd) [...] There is an anonymous trying to read a userPassword (and probably trying to modifying it afterwards). Acording to your access rules only auth permissions are granted to anonymous. -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E