Hi, thanks for reply,
On Tue, Sep 18, 2018 at 09:40:00PM +0200, Clément OUDOT wrote: > Le 18/09/2018 à 18:11, Ervin Hegedüs a écrit : > > Hi, there is an interesting insufficient access problem... > > > > There are 3 (in dev environment 2) multimaster ldap node. > > > > There is a simple web frontend, written in PHP, where user can > > change its own password, or can get a link to set up a new pass > > if old one had lost. > > > > In some cases (some users) the user can't change the own password > > through PHP. When I change it from webserver with ldapmodify and > > a simple ldif file, it works as well. > > > > But when I try to modify the passwd through PHP, I got > > "Insufficient access" error, and these lines are in syslog: > > > > > > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => access_allowed: search access > > to "uid=comp1_user1,ou=Users,ou=COMP1,dc=wificloud,dc=company,dc=hu" > > "objectClass" requested > > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => dn: [2] > > ou=djp,dc=wificloud,dc=company,dc=hu > > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => dnpat: [3] > > ou=(AH|Delta|Comp1|Comp2|Comp3),dc=wificloud,dc=company,dc=hu nsub: 1 > > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => acl_get: [3] matched > > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => acl_get: [3] attr objectClass > > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: => match[dn0]: 26 60 > > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: o > > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: u ... > > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: d > > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: c > > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: = > > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: h > > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: u > > Sep 18 17:48:13 dev-ldap-01 slapd[12125]: > > > > I would say that the PHP application is sending some garbage to the > directory. What application are you using for password change, is it LTB > Self Service Password ? no, that's a custom development, which will be extend with many other features - no matter now. But then I don't understand, why comes this error only few users (total number of users is about 200 now, we know about 2-3 affected user). Anyway, I thought it also what you wrote, and switched back to native LDAP (instead of LDAPS), and make a capture at LDAP side. There aren't any garbage in packets, all request contains absolutely normal lines... If you interesting about it, I can send you a cap file - but that contains sensitive datas, of course. I just can share some screenshots about the traffic, hope it seems that no other garbage: https://www.dropbox.com/sh/x8ol6cfc39zj7cp/AADCo3CgcHPQnvOre4hjuULpa Thanks again, a.
