Red Hat Directory Server ACI with target attribute userPassword, USERDN rule and proxy user denies write for password change operations
Issue
A Red Hat Directory Server (RHDS) access control handling with ACIs that use target attribute userPassword, the USERDN rule, and a proxy user, will not work for password change operations
ACI example:
aci: (targetattr="userPassword")(version 3.0; acl "testmsproxy manager can set passwords";allow(write) userattr="manager#USERDN";)
aci: (targetattr="*")(version 3.0; acl "testmsproxy alow read proxy";allow(proxy) (userdn="ldap:///uid=user1,dc=example");)
Error example:
ldap_modify: Insufficient access
ldap_modify: additional info: Insufficient 'write' privilege to the 'userPassword' attribute of entry 'uid=user1,dc=example'.
Environment
- Red Hat Enterprise Linux 5
- Red Hat Directory Server with redhat-ds-base 8.x up to redhat-ds-base-8.2.1-1.el5dsrv from errata RHBA-2010-0692 included
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.