[sork] Re: Failure in changing password: Insufficient access

amith at xalan.com amith at xalan.com
Fri Apr 25 10:54:35 PDT 2003


I hate ACLs... i wish there was a better way to debug them.  but by looking at
your output (which seems to be cutoff at the end of the line) is that

access to dn="dc=mvdis,dc=thbuo.gov.tw" by * read

is getting matched before anything else, causing you to be unable to write.  So
when LDAP is checking ACLs it starts from the top of your list to the bottom. 
If the very 1st rule matches then it stops trying to match.  So even though you
say that that self can write in rules #2 and #3 it never gets there (based on
what I see - but i could be wrong).  You might try to reorder stuff.  In
addition I think you want this rule

 access to attr=userPassword
  by self write
  by dn="cn=root,dc=mvdis,dc=thbuo.gov.tw" write
  by * none

to be

 access to attr=userPassword
  by self write
  by anonymous auth

because you want user who haven't binded to be able to auth against userPassword
and the rootdn always can write so that doesn't need to be added.  I would send
you mine, but they aren't really working :)  so for now i have some liberal
rules that really need to be changed.

Amith




| Hi all:
| Backend: ldap (openldap 2.0.25),update Horde via CVS.
| Can someone give me any opinions about ACLs in my slapd.conf ? Here is mime:
|
| access to dn="dc=mvdis,dc=thbuo.gov.tw" by * read
|
| access to attr=userPassword
|  by self write
|  by dn="cn=root,dc=mvdis,dc=thbuo.gov.tw" write
|  by * none
|
| access to *
|  by self write
|  by users read
|  by anonymous auth
|
|
| passwd/config/conf.php
| ----------------------
| $conf['hooks']['userdn'] = true;
|
|
| passwd/config/backends.php
| --------------------------
| $backends['ldap'] = array(
|     'name' => 'ldap',
|     'preferred' => 'true',
|     'password policy' => array(
|         'minLength' => 6,
|         'maxLength' => 8,
|         'minNumeric' => 2,
|         'minAlpha' => 2
|     ),
|     'driver' => 'ldap',
|     'params' => array(
|         'host' => 'localhost',
|         'port' => 389,
|         'basedn' => 'ou=people,dc=mvdis,dc=thbuo.gov.tw',
|         'uid' => 'uid',
|         'realm' => '', // this will be appended to the username when
|                        // looking for the userdn.
| //        'userdn' => 'uid=' . Auth::getAuth() . ',o=example.com',
|         'encryption' => 'crypt',
|         'tls' => false // make sure the host == cn in the server certificate
|     )
| );
|
| horde/config/hooks.php
| ----------------------
| if (!function_exists('_passwd_hook_userdn')) {
|     function _passwd_hook_userdn($auth)
|     {
|         // ride off realm
|         if (strstr($auth, '@')) {
|             $parts = explode('@', $auth);
|             $auth = $parts[0];
|         }
|
|         return 'uid=' . $auth . ',ou=people,dc=mvdis,dc=thbuo.gov.tw';
|     }
| }
|
|
| Results of slapd debug,slapd -d 256
| -----------------------------------
| daemon: socket() failed errno=97 (Address family not supported by protocol)
| slapd starting
| daemon: conn=0 fd=9 connection from IP=210.241.49.68:57177 (IP=0.0.0.0:389)
| acc.
| conn=0 op=0 BIND dn="UID=TXG16,OU=PEOPLE,DC=MVDIS,DC=THBUO.GOV.TW" method=128
| ber_flush: 14 bytes to sd 9
| conn=0 op=0 RESULT tag=97 err=0 text=
| conn=0 op=1 MOD dn="uid=txg16,ou=people,dc=mvdis,dc=thbuo.gov.tw"
| ber_flush: 14 bytes to sd 9
| conn=0 op=1 RESULT tag=103 err=50 text=
| conn=0 op=2 UNBIND
| conn=-1 fd=9 closed
|
| Results of slapd debug,slapd -d 128
| -----------------------------------
| slapd starting
| => access_allowed: auth access to
| "uid=txg16,ou=people,dc=mvdis,dc=thbuo.gov.twd
| => dnpat: [1] dc=mvdis,dc=thbuo.gov.tw nsub: 0
| => acl_get: [1] matched
| => acl_get: [1] check attr userPassword
| <= acl_get: [1] acl uid=txg16,ou=people,dc=mvdis,dc=thbuo.gov.tw attr:
| userPassd
| => match[0]: 20 44 DC=MVDIS,DC=THBUO.GOV.TW=> acl_mask: access to entry
| "uid=txd
| => acl_mask: to all values by "", (=n)
| <= check a_dn_pat: *
| <= acl_mask: [1] applying read (=rscx) (stop)
| <= acl_mask: [1] mask: read (=rscx)
| => access_allowed: auth access granted by read (=rscx)
| ber_flush: 14 bytes to sd 9
| => access_allowed: write access to
| "uid=txg16,ou=people,dc=mvdis,dc=thbuo.gov.td
| => dnpat: [1] dc=mvdis,dc=thbuo.gov.tw nsub: 0
| => acl_get: [1] matched
| => acl_get: [1] check attr userPassword
| <= acl_get: [1] acl uid=txg16,ou=people,dc=mvdis,dc=thbuo.gov.tw attr:
| userPassd
| => match[0]: 20 44 DC=MVDIS,DC=THBUO.GOV.TW=> acl_mask: access to entry
| "uid=txd
| => acl_mask: to all values by "UID=TXG16,OU=PEOPLE,DC=MVDIS,DC=THBUO.GOV.TW",
| (
| <= check a_dn_pat: *
| <= acl_mask: [1] applying read (=rscx) (stop)
| <= acl_mask: [1] mask: read (=rscx)
| => access_allowed: write access denied by read (=rscx)
|
|
|
| David Chang
|
|
|





More information about the sork mailing list