Hi there,
I can't seem to find my error in my Ldif file. I have an openLDAP server and
I'd like to change the config, that every member of the group
sys_allow_pw_change is able to change the password of every user. It's been a
while since I've last used openLDAP.
I got the current ACLs using
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b \
> cn=config '(olcDatabase={1}mdb)' olcAccess
dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
So I've created pwchange.ldif with the help of this serverfault post
(https://serverfault.com/questions/1064914/q-what-is-the-correct-way-to-add-olcaccess-rules-to-openldap):
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword
by self write
by dn="cn=admin,dc=ldap,dc=example,dc=com" manage
by dn="[cn=sys_allow_pw_change,ou=Groups,dc=ldap,dc=example,dc=com]/memberUid
& user/uid" write
by anonymous auth
by * none
-
add: olcAccess
olcAccess: {1}to attrs=shadowLastChange
by self write
by * read
-
add olcAccess
olcAccess: {2}to *
by * read
So I'm adding the group in question to olcAccess{0} and re adding all the
current config. However:
ldapmodify -a -x -D "cn=admin,dc=ldap,dc=example,dc=com" -w Passw0rd! -H
ldap:// -f pwchange.ldif
results in
ldapmodify: invalid format (line 9) entry: "olcDatabase={1}mdb,cn=config"
(Line 9 is by * none)
Thanks for any pointers!
