I set up Self Service Password Tool. https://ltb-project.org/documentation/self-service-password. I configured a bind DN for password reset.
$ldap_binddn = "cn=proxyagent,ou=profile,dc=mycompany,dc=com"; $ldap_bindpw = "mypassword";
I'm getting "Password was refused by the LDAP directory (Insufficient access rights )" error when resetting a user's password. If I change the $ldap_binddn to "Directory Manager", it works.
I then added the "cn=proxyagent,ou=profile,dc=mycompany,dc=com" to "PD Managers" group with ACI:
ldapsearch -x -LLL -H ldap://server.mycompany.com:389 -s base -b 'ou=People,dc=mycompany,dc=com' aci dn: ou=People,dc=mycompnay,dc=com aci: (targetattr=*")(targetfilter ="(ou=People)")(version 3.0;acl "Engineering Group Permissions";allow (write)(groupdn = "ldap:///cn=PD Managers,ou=groups ,dc=mycompany,dc=com");)
ldapsearch -x -LLL -H ldap://server.mycompnay.com:389 -s base -b 'cn=PD Managers,ou=Groups,dc=mycompany,dc=com' uniquemember dn: cn=PD Managers,ou=Groups,dc=mycompany,dc=com uniquemember: cn=Directory Manager uniquemember: cn=proxyagent,ou=profile,dc=mycompany,dc=com
The "PD Managers" group has ACI to allow write for ou=People for all attributes. The proxyagent is member of the group. Why binding proxyagent results in "Insufficient Access Right"?
On 9/15/21 11:51 AM, Xinhuan Zheng wrote:
I set up Self Service Password Tool. https://ltb-project.org/documentation/self-service-password. I configured a bind DN for password reset.
$ldap_binddn = "cn=proxyagent,ou=profile,dc=mycompany,dc=com"; $ldap_bindpw = "mypassword";
I'm getting "Password was refused by the LDAP directory (Insufficient access rights )" error when resetting a user's password. If I change the $ldap_binddn to "Directory Manager", it works.
I then added the "cn=proxyagent,ou=profile,dc=mycompany,dc=com" to "PD Managers" group with ACI:
ldapsearch -x -LLL -H ldap://server.mycompany.com:389 -s base -b 'ou=People,dc=mycompany,dc=com' aci dn: ou=People,dc=mycompnay,dc=com aci: (targetattr=*")(targetfilter ="(ou=People)")(version 3.0;acl "Engineering Group Permissions";allow (write)(groupdn = "ldap:///cn=PD Managers,ou=groups ,dc=mycompany,dc=com");)
You are using the target filter incorrectly. The targetfilter is used to evaluate an entry, so in this case the entry must have "ou: people" for access to be granted. I think you are trying to use it as the target: all entries under ou=people,dc=your company. Anyway you don't need it at all in this case, so just remove the targetfilter from the aci and it should start working as expected.
HTH,
Mark
ldapsearch -x -LLL -H ldap://server.mycompnay.com:389 -s base -b 'cn=PD Managers,ou=Groups,dc=mycompany,dc=com' uniquemember dn: cn=PD Managers,ou=Groups,dc=mycompany,dc=com uniquemember: cn=Directory Manager uniquemember: cn=proxyagent,ou=profile,dc=mycompany,dc=com
The "PD Managers" group has ACI to allow write for ou=People for all attributes. The proxyagent is member of the group. Why binding proxyagent results in "Insufficient Access Right"? _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Hi Mark,
You are right. I figure it out the ACI to add is:
(targetattr="userPassword") (version 3.0; acl "Allow proxyagent updating their password"; allow (write) userdn="ldap:///cn=proxyagent,ou=profile,dc=mycompany,dc=com";)
I used LDIF file to add above to the ACI attribute for 'ou=People,dc=mycompany,dc=com'
Thank you,
- Xinhuan
389-users@lists.fedoraproject.org