howto: ldap modify acl

upengan78 · October 29, 2010, 10:13am

Hello guys,

I have a smb-ldap server on ubuntu 10.04 server. I recently found that when smb-ldap user SSHs into the server box and runs smbldap-passwd command then there is below error. root can run this command with no issues. I'd like users to be able to do the same.

Here is the error (happens for all users)

Ldap config for acl is :

# {1}hdb, config
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=pdc
olcAccess: {0}to attrs=userPassword by dn="cn=admin,dc=pdc" write by anonymous
auth by self write by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to dn.base="" by * read
olcAccess:: ezN9dG8gKiBieSBkbj0iY249YWRtaW4sZGM9cGRjIiB3cml0ZSBieSAYWQg
olcLastMod: TRUE
olcRootDN: cn=admin,dc=pdc
olcRootPW: blah
olcRootPW: {crypt}64KIVblash
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: cn eq
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq
olcDbIndex: memberUid eq
olcDbIndex: uniqueMember eq
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub

I saw on some forums people suggesting below acl,

will this be correct acl? If so, how to modify the ACLs in ldap.

Thanks:b:

BTW : Is 'code / #' removed from thread tools ? I just find 'quote' so I used that for highlighting my configuration in thread

frank_rizzo · November 23, 2010, 7:45pm

turn debugging on (log level 256) and see what attribute it is trying to update. it might not be userPassword. not familar with using SMB with LDAP but the logging would show you exactly what is wrong.