Red Hat Directory Server ACI with target attribute userPassword and USERDN keyword denies write for password change operations
Issue
A Red Hat Directory Server (RHDS) access control handling with ACIs that use target attribute userPassword and the USERDN keyword, will not work for password change operations
ACI example:
aci: (targetattr="userPassword")(version 3.0; acl "Owners can set passwords"; allow(write) userattr="owner#USERDN";)
Error example:
ldap_modify: Insufficient access (50)
additional info: Insufficient 'write' privilege to the 'userPassword'
attribute of entry 'uid=user2,o=example'.
Environment
- Red Hat Enterprise Linux 5
- Red Hat Directory Server with redhat-ds-base 8.x up to redhat-ds-base-8.2.0-13.el5dsrv included
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.