[sork] Failure in changing password: Insufficient access

David Chang david at thbuo.gov.tw
Fri Apr 25 13:28:31 PDT 2003 

Hi all:
Backend: ldap (openldap 2.0.25),update Horde via CVS.
Can someone give me any opinions about ACLs in my slapd.conf ? Here is mime:

access to dn="dc=mvdis,dc=thbuo.gov.tw" by * read

access to attr=userPassword
 by self write
 by dn="cn=root,dc=mvdis,dc=thbuo.gov.tw" write
 by * none

access to *
 by self write
 by users read
 by anonymous auth


passwd/config/conf.php
----------------------
$conf['hooks']['userdn'] = true;


passwd/config/backends.php
--------------------------
$backends['ldap'] = array(
    'name' => 'ldap',
    'preferred' => 'true',
    'password policy' => array(
        'minLength' => 6,
        'maxLength' => 8,
        'minNumeric' => 2,
        'minAlpha' => 2
    ),
    'driver' => 'ldap',
    'params' => array(
        'host' => 'localhost',
        'port' => 389,
        'basedn' => 'ou=people,dc=mvdis,dc=thbuo.gov.tw',
        'uid' => 'uid',
        'realm' => '', // this will be appended to the username when
                       // looking for the userdn.
//        'userdn' => 'uid=' . Auth::getAuth() . ',o=example.com',
        'encryption' => 'crypt',
        'tls' => false // make sure the host == cn in the server certificate
    )
);

horde/config/hooks.php
----------------------
if (!function_exists('_passwd_hook_userdn')) {
    function _passwd_hook_userdn($auth)
    {
        // ride off realm
        if (strstr($auth, '@')) {
            $parts = explode('@', $auth);
            $auth = $parts[0];
        }

        return 'uid=' . $auth . ',ou=people,dc=mvdis,dc=thbuo.gov.tw';
    }
}


Results of slapd debug,slapd -d 256
-----------------------------------
daemon: socket() failed errno=97 (Address family not supported by protocol)
slapd starting
daemon: conn=0 fd=9 connection from IP=210.241.49.68:57177 (IP=0.0.0.0:389) acc.
conn=0 op=0 BIND dn="UID=TXG16,OU=PEOPLE,DC=MVDIS,DC=THBUO.GOV.TW" method=128
ber_flush: 14 bytes to sd 9
conn=0 op=0 RESULT tag=97 err=0 text=
conn=0 op=1 MOD dn="uid=txg16,ou=people,dc=mvdis,dc=thbuo.gov.tw"
ber_flush: 14 bytes to sd 9
conn=0 op=1 RESULT tag=103 err=50 text=
conn=0 op=2 UNBIND
conn=-1 fd=9 closed

Results of slapd debug,slapd -d 128
-----------------------------------
slapd starting
=> access_allowed: auth access to "uid=txg16,ou=people,dc=mvdis,dc=thbuo.gov.twd
=> dnpat: [1] dc=mvdis,dc=thbuo.gov.tw nsub: 0
=> acl_get: [1] matched
=> acl_get: [1] check attr userPassword
<= acl_get: [1] acl uid=txg16,ou=people,dc=mvdis,dc=thbuo.gov.tw attr: userPassd
=> match[0]: 20 44 DC=MVDIS,DC=THBUO.GOV.TW=> acl_mask: access to entry "uid=txd
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: *
<= acl_mask: [1] applying read (=rscx) (stop)
<= acl_mask: [1] mask: read (=rscx)
=> access_allowed: auth access granted by read (=rscx)
ber_flush: 14 bytes to sd 9
=> access_allowed: write access to "uid=txg16,ou=people,dc=mvdis,dc=thbuo.gov.td
=> dnpat: [1] dc=mvdis,dc=thbuo.gov.tw nsub: 0
=> acl_get: [1] matched
=> acl_get: [1] check attr userPassword
<= acl_get: [1] acl uid=txg16,ou=people,dc=mvdis,dc=thbuo.gov.tw attr: userPassd
=> match[0]: 20 44 DC=MVDIS,DC=THBUO.GOV.TW=> acl_mask: access to entry "uid=txd
=> acl_mask: to all values by "UID=TXG16,OU=PEOPLE,DC=MVDIS,DC=THBUO.GOV.TW", (
<= check a_dn_pat: *
<= acl_mask: [1] applying read (=rscx) (stop)
<= acl_mask: [1] mask: read (=rscx)
=> access_allowed: write access denied by read (=rscx)



David Chang

More information about the sork mailing list