Re: password change does not work: LDAP, sssd, nss or pam error?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 2010-10-09 at 09:53 +0200, Volker Potworowski wrote:

> access to *
>         by dn.exact="cn=root,dc=teraphim,dc=de" read
>         by * none
> access to attrs=userPassword
>         by dn.base="cn=Manager,dc=teraphim,dc=de" write
>         by anonymous auth
>         by self write
>         by * none
> access to attrs=shadowLastChange
>         by self write
>         by * read
> access to *
>         by self write
>         by * read
----
these ACL's are not good. ACL's are parsed from top to bottom and once a
controlling rule is hit, the rest is ignored. That means unless you are
binding as rootbinddn or 'cn=root,dc=teraphim,dc=de' (which I guess IS
rootbinddn) then you are locked out - period. Suggest that you change
them to something like this...

access to attrs=userPassword
        by dn.base="cn=Manager,dc=teraphim,dc=de" write
        by anonymous auth
        by self write
        by * none
# I'd probably at least comment this one out for now and I'm still
# not sure why you really care about this rule anyway
access to attrs=shadowLastChange
        by anonymous auth
        by self write
        by * read
# you're going to have to adjust this next rule to match 
# the setup of your DSA
access to dn.regex="^uid=([^,]+)ou=People,dc=teraphim,dc=de$$"
        by self read
        by dn.exact="cn=Manager,dc=teraphim,dc=de" write write
        by anonymous auth
        by * none
access to *
        by anonymous auth
        by self write
        by * read

and I'm presuming that "cn=root,dc=teraphim,dc=de" is the rootbinddn in
which case any entries in ACL's are meaningless since rootbinddn is by
design permitted to do anything.

Craig



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux