Red Hat Directory Server ACI with target attribute userPassword, USERDN rule and proxy user denies write for password change operations

Solution Verified - Updated -

Issue

A Red Hat Directory Server (RHDS) access control handling with ACIs that use target attribute userPassword, the USERDN rule, and a proxy user, will not work for password change operations
ACI example:

aci: (targetattr="userPassword")(version 3.0; acl "testmsproxy manager can set passwords";allow(write) userattr="manager#USERDN";)
aci: (targetattr="*")(version 3.0; acl "testmsproxy alow read proxy";allow(proxy) (userdn="ldap:///uid=user1,dc=example");)

Error example:

ldap_modify: Insufficient access
ldap_modify: additional info: Insufficient 'write' privilege to the 'userPassword' attribute of entry 'uid=user1,dc=example'.

Environment

  • Red Hat Enterprise Linux 5
  • Red Hat Directory Server with redhat-ds-base 8.x up to redhat-ds-base-8.2.1-1.el5dsrv from errata RHBA-2010-0692 included

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.