 | Start a set with this search |
 | Include this search in one of my sets |
 | Exclude this search from one of my sets |
 | Permalink to these results Paste this link in email or IM: |
 | Atom feed for tracking future search results Paste this URL into your reader: |
5 messages in net.sourceforge.lists.courier-usersRe: [courier-users] Re: sqwebmail lda...| From | Sent On | Attachments |
|---|---|---|
| Jano Lukac | Sep 18, 2001 9:46 am | |
| Sam Varshavchik | Sep 18, 2001 2:30 pm | |
| Jano Lukac | Sep 18, 2001 3:34 pm | |
| Sam Varshavchik | Sep 18, 2001 6:02 pm | |
| Jano Lukac | Sep 18, 2001 9:09 pm |
| Permalink for this message Paste this link in email or IM: |
| Permalink for this thread Paste this link in email or IM: |
| Atom feed for this thread Paste this URL into your reader: |
| Subject: | Re: [courier-users] Re: sqwebmail ldap password changes | Actions... |
|---|---|---|
| From: | Jano Lukac (jedo...@yahoo.com) | |
| Date: | Sep 18, 2001 9:09:40 pm | |
| List: | net.sourceforge.lists.courier-users | |
Hello again,
--- Sam Varshavchik <mrs...@courier-mta.com> wrote: <snip - ldap password stuff>
There's an authtest program that's compiled in the authinfo subdirectory.
Tried this, along with debug turned on in ldap -- I found the problem, and am totally unsure how to fix this the correct way. I think the answer will be beyond the scope of this mailing list, but it is worth a shot. In short, write access to userPassword is being denied by my ldap ACL, which so far, is the only acl i have (and fairly standard): access to attribute=userPassword <tab>by dn="cn=toor,dc=forbidden,dc=dance" write <tab>by self write <tab>by anonymous auth <tab>by * none
I have rebind set, but it appears to have no effect for changing the password (from the log): (I cleaned this up for relevant info): ====> cache_return_entry_r( 11 ): returned (0) ldbm_back_modify: dn2entry_w: dn: "UID=LUS...@TEST.COM,O=TEST.COM,DC=FORBIDDEN,DC=DANCE" => dn2id("UID=LUS...@TEST.COM,O=TEST.COM,DC=FORBIDDEN,DC=DANCE" ) <snip> ====> cache_find_entry_id( 11 ) "uid=lus...@test.com,o=test.com,dc=forbidden,dc=dance" (found) (1 tries) <= id2entry_w( 11 ) 0x80d9040 (cache) dbm_modify_internal: => access_allowed: write access to "uid=lus...@test.com,o=test.com,dc=forbidden,dc=dance" "userPassword" requested
=> acl_get: [1] check attr userPassword <= acl_get: [1] acl uid=lus...@test.com,o=test.com,dc=forbidden,dc=dance attr: userPassword => acl_mask: access to entry "uid=lus...@test.com,o=test.com,dc=forbidden,dc=dance", attr "userPassword" requested => acl_mask: to value by "", (=n) <= check a_dn_pat: cn=toor,dc=forbidden,dc=dance <snip> <= check a_dn_pat: self <= check a_dn_pat: anonymous <= acl_mask: [3] applying auth (=x) (stop) <= acl_mask: [3] mask: auth (=x) => access_allowed: write access denied by auth (=x) <snip>
It appears the rebind has no affect here (if you would like to see, I have put up the full log of the ldap session to http://www.drlukac.com/jano/fridge/ldap.log)?? I can get around this by using LDAP_BINDDN and LDAP_BINDPW with a special user. This solves the problem, which is great, but with all due respect, I'd rather find a more elegant solution than brute force binding and storing the clear text password in authldaprc :) (i suppose one could create a seperate dn just for modifying passwords in a specific objectclass, but still...).
That's that. Thanks again to everyone for their time. Jano
__________________________________________________ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/