LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 12-22-2005, 09:30 AM   #1
mesh2005
Member
 
Registered: Sep 2005
Location: Ägypten
Distribution: Ubuntu 5.10
Posts: 155

Rep: Reputation: 30
ACL Problem, Insufficient access (50)


i use openldap 2.3.11 , Heimdal Kerberos , Fedora 4

login authenticated through kerberos and i use ldap for user info (instead of NIS)

the problem is i cannot change password for any authenticated user using GSSAPI even with rootdn
i tried to use -x and it worked only with the rootdn

here is my ACL files: (manager is my rootdn)
**************************************************************************************************** *********************
access to dn.regex="uid=(.*),ou=People,dc=test,dc=domain,dc=mydomain,dc=org" attrs=userPassword
by dn="cn=Manager,dc=test,dc=domain,dc=mydomain,dc=org" write
by self write
by * auth
access to dn.regex="uid=(.*),ou=People,dc=test,dc=domain,dc=mydomain,dc=org"
by * read
access to dn.regex="uid=(.*),ou=People,dc=test,dc=domain,dc=mydomain,dc=org"
by self write
by * read
**************************************************************************************************** *********************

and here is the error:
**************************************************************************************************** **********************
ldappasswd -Y GSSAPI -S "uid=sonne,ou=People,dc=test,dc=domain,dc=mydomain,dc=org "
New password:
Re-enter new password:
SASL/GSSAPI authentication started
SASL username: sonne@TEST.DOMAIN.MYDOMAIN.ORG
SASL SSF: 56
SASL installing layers
Result: Insufficient access (50)
*****************************************************************************

i hope you can help!
thanks alot
 
Old 12-22-2005, 10:18 AM   #2
sidmark-2850
Member
 
Registered: Aug 2003
Posts: 133

Rep: Reputation: 15
Since your users' passwords are stored in kerberos, you will never need to change the users' userPassword attribute in LDAP. It should always be {SASL}username@REALM.TLD. I have a similar setup but with MIT kerberos and I normally change the users' password with the kadmin tool. I can't speak for heimdal since I have never used it.

Sid.
 
Old 12-25-2005, 08:20 AM   #3
mesh2005
Member
 
Registered: Sep 2005
Location: Ägypten
Distribution: Ubuntu 5.10
Posts: 155

Original Poster
Rep: Reputation: 30
thanks a lot , i don't know how i didn't think about that!!! anyway i solved the Insufficient access problem too, the regex i use maps correctly at login only, i wrote another regex to map after login
anyway asu said, i don't need to change the ldap password field, only to change the kerberos password
thanks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem with ACL kousik Linux - Security 1 08-31-2005 11:12 AM
Re ldap_bind Insufficient access(50) vanaidu2004 Linux - Networking 0 07-03-2005 01:39 AM
LDAP Insufficient access sohocoffee2 Linux - Security 1 03-02-2005 10:23 PM
Squid ACL - what happens when a user go goes past their allowed access time? Grizzlednewbie Linux - Software 0 07-07-2004 01:37 AM
problem with ACL alpesh Linux - Newbie 1 07-28-2003 01:43 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:21 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration