> On Oct 1, 2020, at 3:27 PM, Quanah Gibson-Mount <[email protected]> wrote:
>
>
>
> --On Thursday, October 1, 2020 4:22 PM -0700 Scott Classen <[email protected]
> <mailto:[email protected]>> wrote:
>
>> Hello,
>>
>> I'm having trouble understanding why I can't get a service account to
>> reset a userPassword attribute.
>>
>> ACLs are:
>>
>> {0}to attrs=userPassword
>> by self write
>> by anonymous auth
>> by * none
>> {1}to *
>> by self write
>> by users read
>> by dn.base="uid=pwreset,dc=example,dc=com" write
>> by * none
>>
>>
>> But when the password reset utility attempts to modify the password I see
>> the following 50 error, indicating that the ACL is somehow preventing the
>> pwreset account from modifying userPassword
>
> The above ACLs give no access to the userPassword attribute for the pwreset
> DN.
>
>>
>> {0}to attrs=userPassword
>> by self write
>> by anonymous auth
>> by dn.base="uid=pwreset,dc=example,dc=com" write
>> by * none
>> {1}to *
>> by self write
>> by users read
>> by * none
>
> The above ACLs give the pwreset DN write access to the userPassword
> attribute, but do not give any access to the psuedo "entry" attribute, which
> is mandatory as documented in the slapd.access(5) man page.
>
> Regards,
> Quanah
>
I added this as the first ACL and now things are working:
{0}to dn.subtree="ou=People,dc=example,dc=com" attrs=entry,userPassword by
dn.exact="uid=pwreset,dc=example,dc=com" write by * break
