How to allow a group to change user passwords?

Question

I have the following openldap server configuration:

access to attrs=userPassword
    by self write
    by anonymous auth
    by set="[cn=users,ou=Group,dc=my-company,dc=de]/memberUid & user/uid" write
    by * none

# Allow everybody adding and changing Contacts
access to dn.subtree="ou=Contacts,dc=my-company,dc=de"
    by set="[cn=users,ou=Group,dc=my-company,dc=de]/memberUid & user/uid" write 
    by * read

access to *
    by self write
    by dn.base="cn=admin,dc=my-company,dc=de" write
    by set="[cn=sysadm,ou=Group,dc=my-company,dc=de]/memberUid & user/uid" write
    by * read

What it should do is this:

allow everybody to change his own password
allow all users to add and change contacts
allow all in group "sysadm" to change everything

The problem is, the sysadms can not change any user password. Any hints?

score 2 · Accepted Answer · answered Nov 27 '09 at 11:06

Quoting the OpenLDAP admin guide:

The order of evaluation of access directives makes their placement in the configuration file important. If one access directive is more specific than another in terms of the entries it selects, it should appear first in the config file. Similarly, if one selector is more specific than another it should come first in the access directive.

To cut long story short, try the following:

access to attrs=userPassword
    by dn.base="cn=admin,dc=my-company,dc=de" write
    by set="[cn=sysadm,ou=Group,dc=my-company,dc=de]/memberUid & user/uid" write
    by self write
    by anonymous auth
    by * none

# Allow everybody adding and changing Contacts
access to dn.subtree="ou=Contacts,dc=my-company,dc=de"
    by dn.base="cn=admin,dc=my-company,dc=de" write
    by set="[cn=sysadm,ou=Group,dc=my-company,dc=de]/memberUid & user/uid" write
    by set="[cn=users,ou=Group,dc=my-company,dc=de]/memberUid & user/uid" write 
    by * read

access to *
    by dn.base="cn=admin,dc=my-company,dc=de" write
    by set="[cn=sysadm,ou=Group,dc=my-company,dc=de]/memberUid & user/uid" write
    by self write
    by * read

BTW, do you really want to grant all users access to all attributes of their own object ('access to * ... by self write')? As you're limiting write access to the userPassword attribute only in the first ACL, I'd say that it's not what you wanted.

score 0 · Answer 2 · answered Oct 12 '09 at 13:56

0

What happens if you do this?

access to dn.subtree"[cn=users,ou=Group,dc=my-company,dc=de]"
by self write
by dn.base="cn=admin,dc=my-company,dc=de" write
by set="[cn=sysadm,ou=Group,dc=my-company,dc=de]/memberUid & user/uid" write
by * read

answered Oct 12 '09 at 13:56

Josh Budde

2,378
14
7

1

The only difference is using a dn.subtree instead of *, right? Why should this work better? I'll give it a try, when I'm back in this project, what could take some days. – Tim Büthe Oct 13 '09 at 10:30

score 0 · Answer 3 · answered Nov 27 '09 at 07:45

0

IIRC slapd uses the first matching rule. Since the first block matches userPassword but doesn't allow sysadmins to modify, they aren't allowed to modify.

answered Nov 27 '09 at 07:45

ptman

27,124
2
26
45

How to allow a group to change user passwords?

3 Answers3