--On Thursday, October 1, 2020 4:22 PM -0700 Scott Classen
<[email protected]> wrote:
Hello,
I'm having trouble understanding why I can't get a service account to
reset a userPassword attribute.
ACLs are:
{0}to attrs=userPassword
by self write
by anonymous auth
by * none
{1}to *
by self write
by users read
by dn.base="uid=pwreset,dc=example,dc=com" write
by * none
But when the password reset utility attempts to modify the password I see
the following 50 error, indicating that the ACL is somehow preventing the
pwreset account from modifying userPassword
The above ACLs give no access to the userPassword attribute for the pwreset
DN.
{0}to attrs=userPassword
by self write
by anonymous auth
by dn.base="uid=pwreset,dc=example,dc=com" write
by * none
{1}to *
by self write
by users read
by * none
The above ACLs give the pwreset DN write access to the userPassword
attribute, but do not give any access to the psuedo "entry" attribute,
which is mandatory as documented in the slapd.access(5) man page.
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
