我已经在Ubuntu 14.04上安装了ldap 2.4.3。我配置了pwdPolicy覆盖,当用户更改他/她自己的密码以及管理员更改密码时,它将工作。问题是,当管理员更改密码时,策略不被遵守。因此,我创建了另一个名为usermanagement的帐户,并将该dn添加到oclAccess。我可以修改使用usermanagement帐户尝试过的所有字段,但用户密码除外。ldap oclAccess似乎不适用于pwdPolicy
当运行ldappasswd我得到Insufficient access (50)
这是我的olcAccess:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,dc=zed,dc=com" write by dn="cn=usermanagement,dc=zed,dc=com" write by anonymous auth by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by self write by dn="cn=admin,dc=zed,dc=com" write by dn="cn=usermanagement,dc=zed,dc=com" write by * read
编辑
我已经启用调试,然后执行ldappasswd -H ldap://localhost -x -D "uid=luis,ou=users,dc=zed,dc=com" -W -S "uid=vixian,ou=users,dc=zed,dc=com"
。日志显示:
983c0f8 bdb_dn2entry("cn=passworddefault,ou=policies,dc=zed,dc=com")
5983c0f8 => bdb_entry_get: found entry: "cn=passworddefault,ou=policies,dc=zed,dc=com"
5983c0f8 bdb_entry_get: rc=0
5983c0f8 change password must use DELETE followed by ADD/REPLACE
5983c0f8 send_ldap_result: conn=1004 op=1 p=3
5983c0f8 send_ldap_result: err=50 matched="" text="Must supply old password to be changed as well as new one"
5983c0f8 send_ldap_extended: err=50 oid= len=0
5983c0f8 send_ldap_response: msgid=2 tag=120 err=50
我又试图使用ldapmodify可以删除的userPassword,它是成功的,但更换或增加生产否认了相同的结果权限。
我已经更新了olcAccess以下@ejp建议:
olcAccess: {0}to attrs=userPassword,shadowLastChange
by group/groupOfUniqueNames/uniqueMember.exact="cn=itinst,ou=groups,dc=zed,dc=com" write
by anonymous auth
by self write
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to *
by self write
by group/groupOfUniqueNames/uniqueMember.exact="cn=itinst,ou=groups,dc=zed,dc=com" write
by users read by anonymous search
我已经从olcAccesss中删除了管理员;也许我的配置被格式化的缺乏所误导,但匿名没有被赋予写入权限。我已经在DIT中添加了一个帐户,但仍然无法访问。 – Luis
好吧,我误读了,解决了这个问题,并且看到了编辑。你能发布你的密码政策条目吗?和'ppolicy'配置? – EJP