[Fedora-directory-users] DSGW problem - browser user tries to change password
John A. Sullivan III
jsullivan at opensourcedevel.com
Sun Nov 30 00:20:02 UTC 2008
Hello, all. As explained in the last email, we do not allow anonymous
browsing but have a specific user with limited rights browsing the tree
to find users' identities for logging into DSGW. We also have a policy
that users must change their passwords after a reset.
We have a test user sue.sutter. We reset her password and then had her
attempt to login to DSGW. Sure enough, she was told she needed to
changed her password and was given the option to do so. However, the
attempt failed with the below error messages:
Editing sue.sutter...
Sending changes to the directory server...
An error occurred while contacting the LDAP server.
(Insufficient access - Insufficient 'write' privilege to the
'userPassword' attribute of entry
'uid=sue.sutter,ou=users,o=a0000-0006,o=internal,dc=ssiservices,dc=biz'. )
You do not have sufficient privileges to perform the operation.
That seemed very strange because when we test changing passwords using
her posix account, it works just fine. We then gave the browsing user
(not sue.sutter) full rights to the tree and, lo and behold, it worked:
Giving the directory browser user all rights allowed a successful
password change.
It appears the browsing user is the one attempting to change the user's
password and not the user. Is that the way it's supposed to be? I
certainly would not want a browse only utility user able to change user
passwords. Perhaps I am missing something. Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
More information about the Fedora-directory-users
mailing list