(targetattr="*")(version 3.0;acl "PWM_admin";allow (all) userdn = "ldap:///uid=pwadminuser,ou=People,dc=mycompany,dc=com";;) My 'all' is probably bad, but you only allowing 'all' might be preventing the user from reading the directory. -----Original Message----- From: 389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx [mailto:389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Elizabeth Jones Sent: Tuesday, March 05, 2013 4:23 PM To: General discussion list for the 389 Directory server project. Subject: Re: using PWM with 389 DS These are the ACIs I added based on the PWM guide - dn: ou=People,dc=mycompany,dc=com changetype: modify add: aci aci: (targetattr = "*") (target = "ldap:///ou=People,dc=mycompany,dc=com";) (version 3.0; acl "PWM Proxy Add Users"; allow (add) (userdn = "ldap:///cn=pwmproxy,ou=People,dc=mycompany,dc=com";);) dn: ou=People,dc=mycompany,dc=com changetype: modify add: aci aci: (targetattr = "userpassword || pwmResponseSet") (version 3.0;acl "PWM Allow self entry modification";allow (write)(userdn = "ldap:///self";);) dn: ou=People,dc=mycompany,dc=com changetype: modify add: aci aci: (targetattr = "pwmGUID || pwmlastPwdUpdate || userPassword || objectClass || pwmEventLog") (target = "ldap:///ou=People,dc=mycompany,dc=com";) (version 3.0; acl "PWM Proxy Reset Password"; allow (write) (userdn = "ldap:///cn=pwmproxy,ou=People,dc=mycompany,dc=com";);) > Can you post your ACIs? It really sounds like that might be the issue. > I have PWM running against 389DS with no real trouble. > > Josh > > > -- > Joshua Ellsworth > Senior Systems Administrator > Primatics Financial > > > > -----Original Message----- > From: 389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx > [mailto:389-users-bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of > Elizabeth Jones > Sent: Tuesday, March 05, 2013 12:12 PM > To: 389-users@xxxxxxxxxxxxxxxxxxxxxxx > Subject: using PWM with 389 DS > > I was wondering if anyone here has integrated PWM into your 389 DS and > might be able to help me out. > > We want to use PWM just for allowing users to change their passwords. > I followed the documentation that is here > > https://docs.google.com/document/d/1I9u1xaVrIOTFj8Le7uzCM5zGqrODCi9Udo > 2gGZyAapc/edit?pli=1#heading=h.rvkap1ozsaom > > to add the users and aci's that PWM needs, following the directions in > the doc (except that I had to change from replace to add to the aci > section or it wiped out our existing acis). > > Following this doc, I added users pwmproxy and pwmtest to > People,mycompany,com > > Using PWM, I can access the pwmproxy and pwmtest users at the People > level and change their passwords. I can also add additional > test/generic users at this level (People, mycompany, com)and access > those using pwm. But if I try to access any of our existing users IDs that are below People, i.e. > > internal,people,company,com > external,people,company,com > > PWM says it can't find those users. > > Any thoughts on what else I might need to do to get to those users? > > thanks > > EJ > > > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users > Email Disclaimer: This email and any files transmitted with it may be > confidential, legally privileged and are intended solely for the use > of the individual(s) or entity to whom they are addressed. If you are > not the intended recipient, you are hereby notified that any use, > sharing, dissemination, or reproduction of information contained in > the email is strictly prohibited and may be unlawful. If you are not > the intended recipient, please notify the sender by return email that > you have received this email in error and destroy all copies of the original message. > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users Email Disclaimer: This email and any files transmitted with it may be confidential, legally privileged and are intended solely for the use of the individual(s) or entity to whom they are addressed. If you are not the intended recipient, you are hereby notified that any use, sharing, dissemination, or reproduction of information contained in the email is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by return email that you have received this email in error and destroy all copies of the original message. -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
