Hello, all. As explained in the last email, we do not allow anonymous browsing but have a specific user with limited rights browsing the tree to find users' identities for logging into DSGW. We also have a policy that users must change their passwords after a reset.
We have a test user sue.sutter. We reset her password and then had her attempt to login to DSGW. Sure enough, she was told she needed to changed her password and was given the option to do so. However, the attempt failed with the below error messages:
Editing sue.sutter... Sending changes to the directory server...
An error occurred while contacting the LDAP server. (Insufficient access - Insufficient 'write' privilege to the 'userPassword' attribute of entry 'uid=sue.sutter,ou=users,o=a0000-0006,o=internal,dc=ssiservices,dc=biz'. ) You do not have sufficient privileges to perform the operation.
That seemed very strange because when we test changing passwords using her posix account, it works just fine. We then gave the browsing user (not sue.sutter) full rights to the tree and, lo and behold, it worked:
Giving the directory browser user all rights allowed a successful password change.
It appears the browsing user is the one attempting to change the user's password and not the user. Is that the way it's supposed to be? I certainly would not want a browse only utility user able to change user passwords. Perhaps I am missing something. Thanks - John
John A. Sullivan III wrote:
Hello, all. As explained in the last email, we do not allow anonymous browsing but have a specific user with limited rights browsing the tree to find users' identities for logging into DSGW. We also have a policy that users must change their passwords after a reset.
We have a test user sue.sutter. We reset her password and then had her attempt to login to DSGW. Sure enough, she was told she needed to changed her password and was given the option to do so. However, the attempt failed with the below error messages:
Editing sue.sutter... Sending changes to the directory server...
An error occurred while contacting the LDAP server. (Insufficient access - Insufficient 'write' privilege to the 'userPassword' attribute of entry 'uid=sue.sutter,ou=users,o=a0000-0006,o=internal,dc=ssiservices,dc=biz'. ) You do not have sufficient privileges to perform the operation.
That seemed very strange because when we test changing passwords using her posix account, it works just fine. We then gave the browsing user (not sue.sutter) full rights to the tree and, lo and behold, it worked:
Giving the directory browser user all rights allowed a successful password change.
It appears the browsing user is the one attempting to change the user's password and not the user. Is that the way it's supposed to be? I certainly would not want a browse only utility user able to change user passwords. Perhaps I am missing something. Thanks - John
I suppose it is because you have configured the DSGW to use the browsing user. I'm not sure how to change the DSGW to use the browsing user for some operations but not others, or even if it is possible.
On Tue, 2008-12-02 at 08:37 -0700, Rich Megginson wrote:
John A. Sullivan III wrote:
Hello, all. As explained in the last email, we do not allow anonymous browsing but have a specific user with limited rights browsing the tree to find users' identities for logging into DSGW. We also have a policy that users must change their passwords after a reset.
We have a test user sue.sutter. We reset her password and then had her attempt to login to DSGW. Sure enough, she was told she needed to changed her password and was given the option to do so. However, the attempt failed with the below error messages:
Editing sue.sutter... Sending changes to the directory server...
An error occurred while contacting the LDAP server. (Insufficient access - Insufficient 'write' privilege to the 'userPassword' attribute of entry 'uid=sue.sutter,ou=users,o=a0000-0006,o=internal,dc=ssiservices,dc=biz'. ) You do not have sufficient privileges to perform the operation.
That seemed very strange because when we test changing passwords using her posix account, it works just fine. We then gave the browsing user (not sue.sutter) full rights to the tree and, lo and behold, it worked:
Giving the directory browser user all rights allowed a successful password change.
It appears the browsing user is the one attempting to change the user's password and not the user. Is that the way it's supposed to be? I certainly would not want a browse only utility user able to change user passwords. Perhaps I am missing something. Thanks - John
I suppose it is because you have configured the DSGW to use the browsing user. I'm not sure how to change the DSGW to use the browsing user for some operations but not others, or even if it is possible.
<snip> I might be out of place to say this but I suspect it is a design flaw. Even if we allowed anonymous browsing, the last thing on Earth we want is for an anonymously browsing user to change passwords. I would think the code is not setting the user for the change password operation to the logged in user but rather whoever browsed which could be "ldap:///anyone". Thanks - John
389-users@lists.fedoraproject.org