A little more on openLDAP
m.roth2006 at rcn.com
m.roth2006 at rcn.com
Fri Feb 15 19:38:58 UTC 2008
...(and I did refrain from typing openLCRAP).
Having spent another day and a half fighting what I thought I had fixed... here's more.
The sequence is critical in the ACL. From what I've read:
a) the first match takes it, so whatever it hits first is
what's in effect.
b) when you're coming in, first you need the ability to
read with anonymous authority, so that you can look
up who you are, so that you can give it your password,
so you can be authorized to change your password.
Got that? Make sense? Not to me, either. AND they don't give you a default ACL that lets users change their own passwords (and why is that?)
So, I had to change to
access to * # all attributes
by * read # anybody can read it
by self write # only you can write
by anonymous auth # but you come in to start with
# anon authority
access: to attrs=shadowLastChange,userPassword
by self write
by anonymous auth
Geez, what crap. And before someone stands up for it, here's how I would do it:
<I'm coming in>
<do I know your name?>
no) can you do what you want with anon authority?
yes) [ok, let's do what you want]
no) go away, boy, ya bother me.
yes) <ok, do you need a password? [process] yep
<prompt for password>
<password ok?>
yes) [ok, let's do what you want]
no) <are we tired?>
yes) go away, boy, ya bother me.
no) loop to prompt till we get tired
<done>
And what idiot leads you through the process, and *then* looks to see if you're authorized (ldappasswd, interactive)?
mark
More information about the redhat-list
mailing list