Le 18/09/2018 à 18:11, Ervin Hegedüs a écrit :
> Hi, there is an interesting insufficient access problem...
>
> There are 3 (in dev environment 2) multimaster ldap node.
>
> There is a simple web frontend, written in PHP, where user can
> change its own password, or can get a link to set up a new pass
> if old one had lost.
>
> In some cases (some users) the user can't change the own password
> through PHP. When I change it from webserver with ldapmodify and
> a simple ldif file, it works as well.
>
> But when I try to modify the passwd through PHP, I got
> "Insufficient access" error, and these lines are in syslog:
>
>
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => access_allowed: search access to 
> "uid=comp1_user1,ou=Users,ou=COMP1,dc=wificloud,dc=company,dc=hu" 
> "objectClass" requested
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => dn: [2] 
> ou=djp,dc=wificloud,dc=company,dc=hu
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => dnpat: [3] 
> ou=(AH|Delta|Comp1|Comp2|Comp3),dc=wificloud,dc=company,dc=hu nsub: 1
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => acl_get: [3] matched
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => acl_get: [3] attr objectClass
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => match[dn0]: 26 60
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: o
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: u
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: =
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: o
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: m
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: p
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: 1
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: ,
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: d
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: =
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: w
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: i
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: f
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: i
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: l
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: o
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: u
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: d
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: ,
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: d
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: =
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: o
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: m
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: p
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: a
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: n
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: y
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: ,
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: d
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: =
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: h
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: u
> Sep 18 17:48:13 dev-ldap-01 slapd[12125]: 
>
> (I replaced names and chars, so the match[dn0] numbers are not
> correct).
>
>
> Only few users can trigger this problem (don't know why), and
> only through PHP.
>
>
> What's the problem here?

Hello,

I would say that the PHP application is sending some garbage to the
directory. What application are you using for password change, is it LTB
Self Service Password ?

-- 
Clément Oudot | Identity Solutions Manager

clement.ou...@worteks.com

Worteks | https://www.worteks.com


Reply via email to