DSGW problem - browser user tries to change password

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2008-12-02 at 08:37 -0700, Rich Megginson wrote:
> John A. Sullivan III wrote:
> > Hello, all.  As explained in the last email, we do not allow anonymous
> > browsing but have a specific user with limited rights browsing the tree
> > to find users' identities for logging into DSGW.  We also have a policy
> > that users must change their passwords after a reset.
> >
> > We have a test user sue.sutter.  We reset her password and then had her
> > attempt to login to DSGW.  Sure enough, she was told she needed to
> > changed her password and was given the option to do so.  However, the
> > attempt failed with the below error messages:
> >
> > Editing sue.sutter... 
> > Sending changes to the directory server...
> >
> > An error occurred while contacting the LDAP server. 
> > (Insufficient access - Insufficient 'write' privilege to the
> > 'userPassword' attribute of entry
> > 'uid=sue.sutter,ou=users,o=a0000-0006,o=internal,dc=ssiservices,dc=biz'. )
> > You do not have sufficient privileges to perform the operation. 
> >
> > That seemed very strange because when we test changing passwords using
> > her posix account, it works just fine.  We then gave the browsing user
> > (not sue.sutter) full rights to the tree and, lo and behold, it worked:
> >
> > Giving the directory browser user all rights allowed a successful
> > password change.
> >
> > It appears the browsing user is the one attempting to change the user's
> > password and not the user.  Is that the way it's supposed to be? I
> > certainly would not want a browse only utility user able to change user
> > passwords.  Perhaps I am missing something.  Thanks - John
> >   
> I suppose it is because you have configured the DSGW to use the browsing 
> user.  I'm not sure how to change the DSGW to use the browsing user for 
> some operations but not others, or even if it is possible.
<snip>
I might be out of place to say this but I suspect it is a design flaw.
Even if we allowed anonymous browsing, the last thing on Earth we want
is for an anonymously browsing user to change passwords.  I would think
the code is not setting the user for the change password operation to
the logged in user but rather whoever browsed which could be
"ldap:///anyone";.  Thanks - John
-- 
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com

http://www.spiritualoutreach.com
Making Christianity intelligible to secular society




[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux