Hello,
I’m having trouble understanding why I can’t get a service account to reset a
userPassword attribute.
ACLs are:
{0}to attrs=userPassword
by self write
by anonymous auth
by * none
{1}to *
by self write
by users read
by dn.base="uid=pwreset,dc=example,dc=com" write
by * none
But when the password reset utility attempts to modify the password I see the
following 50 error, indicating that the ACL is somehow preventing the pwreset
account from modifying userPassword
Oct 1 14:53:00 bl1231 slapd[10782]: conn=1036 fd=22 ACCEPT from
IP=192.168.1.104:52888 (IP=0.0.0.0:389)
Oct 1 14:53:00 bl1231 slapd[10782]: conn=1036 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Oct 1 14:53:00 bl1231 slapd[10782]: conn=1036 op=0 STARTTLS
Oct 1 14:53:00 bl1231 slapd[10782]: conn=1036 op=0 RESULT oid= err=0 text=
Oct 1 14:53:00 bl1231 slapd[10782]: conn=1036 fd=22 TLS established
tls_ssf=256 ssf=256
Oct 1 14:53:00 bl1231 slapd[10782]: conn=1036 op=1 BIND
dn="uid=pwreset,dc=example,dc=com" method=128
Oct 1 14:53:00 bl1231 slapd[10782]: conn=1036 op=1 BIND
dn="uid=pwreset,dc=example,dc=com" mech=SIMPLE ssf=0
Oct 1 14:53:00 bl1231 slapd[10782]: conn=1036 op=1 RESULT tag=97 err=0 text=
Oct 1 14:53:00 bl1231 slapd[10782]: conn=1036 op=2 SRCH
base="dc=example,dc=com" scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=username))"
Oct 1 14:53:00 bl1231 slapd[10782]: conn=1036 op=2 SEARCH RESULT tag=101 err=0
nentries=1 text=
Oct 1 14:53:00 bl1231 slapd[10782]: conn=1036 op=3 MOD
dn="uid=username,ou=People,dc=example,dc=com"
Oct 1 14:53:00 bl1231 slapd[10782]: conn=1036 op=3 MOD attr=userPassword
Oct 1 14:53:00 bl1231 slapd[10782]: conn=1036 op=3 RESULT tag=103 err=50 text=
Oct 1 14:53:00 bl1231 slapd[10782]: conn=1036 op=4 UNBIND
Oct 1 14:53:00 bl1231 slapd[10782]: conn=1036 fd=22 closed
I’ve also tried with this ACL combination:
{0}to attrs=userPassword
by self write
by anonymous auth
by dn.base="uid=pwreset,dc=example,dc=com" write
by * none
{1}to *
by self write
by users read
by * none
Any advice would be greatly appreciated.
Scott
