>>> Scott Classen <[email protected]> schrieb am 02.10.2020 um 02:16 in Nachricht <[email protected]>:
> >> On Oct 1, 2020, at 3:27 PM, Quanah Gibson‑Mount <[email protected]> wrote: >> >> >> >> ‑‑On Thursday, October 1, 2020 4:22 PM ‑0700 Scott Classen <[email protected] > <mailto:[email protected]>> wrote: >> >>> Hello, >>> >>> I'm having trouble understanding why I can't get a service account to >>> reset a userPassword attribute. >>> >>> ACLs are: >>> >>> {0}to attrs=userPassword >>> by self write >>> by anonymous auth >>> by * none >>> {1}to * >>> by self write >>> by users read >>> by dn.base="uid=pwreset,dc=example,dc=com" write >>> by * none >>> >>> >>> But when the password reset utility attempts to modify the password I see >>> the following 50 error, indicating that the ACL is somehow preventing the >>> pwreset account from modifying userPassword >> >> The above ACLs give no access to the userPassword attribute for the pwreset > DN. >> >>> >>> {0}to attrs=userPassword >>> by self write >>> by anonymous auth >>> by dn.base="uid=pwreset,dc=example,dc=com" write >>> by * none >>> {1}to * >>> by self write >>> by users read >>> by * none >> >> The above ACLs give the pwreset DN write access to the userPassword > attribute, but do not give any access to the psuedo "entry" attribute, which > is mandatory as documented in the slapd.access(5) man page. >> >> Regards, >> Quanah >> > > I added this as the first ACL and now things are working: > > {0}to dn.subtree="ou=People,dc=example,dc=com" attrs=entry,userPassword by > dn.exact="uid=pwreset,dc=example,dc=com" write by * break Hi! Out of curiosity I had checked our ACLs finding that we do not have the "entry" part, but still everything is working for years. So I'd like to ask: In which version (if any) was that requirement added? Also I could not find the specific reference in my version of the manual page. Regards, Ulrich
