10-29-2010
howto: ldap modify acl
Hello guys,
I have a smb-ldap server on ubuntu 10.04 server. I recently found that when smb-ldap user SSHs into the server box and runs smbldap-passwd command then there is below error. root can run this command with no issues. I'd like users to be able to do the same.
Here is the error (happens for all users)
Quote:
smbldap-passwd
Identity validation...
enter your UNIX password:
Changing UNIX and samba passwords for lee
New password:
Retype new password:
Failed to modify SMB password: Insufficient access at /usr/sbin/smbldap-passwd line 238, <STDIN> line 3.
Ldap config for acl is :
Quote:
# {1}hdb, config
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=pdc
olcAccess: {0}to attrs=userPassword by dn="cn=admin,dc=pdc" write by anonymous
auth by self write by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to dn.base="" by * read
olcAccess:: ezN9dG8gKiBieSBkbj0iY249YWRtaW4sZGM9cGRjIiB3cml0ZSBieSAYWQg
olcLastMod: TRUE
olcRootDN: cn=admin,dc=pdc
olcRootPW: blah
olcRootPW: {crypt}64KIVblash
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: cn eq
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: loginShell eq
olcDbIndex: uid eq
olcDbIndex: memberUid eq
olcDbIndex: uniqueMember eq
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
I saw on some forums people suggesting below acl,
Quote:
access to attrs=userPassword,shadowLastChange,shadowMax,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaP wdMustChange,sambaAcctFlags
by dn="cn=admin,dc=ultraelectron,dc=com" write
by anonymous auth
by self write
by * none
will this be correct acl? If so, how to modify the ACLs in ldap.
Thanks
BTW : Is 'code / #' removed from thread tools ? I just find 'quote' so I used that for highlighting my configuration in thread
Last edited by upengan78; 10-29-2010 at 11:57 AM..
10 More Discussions You Might Find Interesting
1. Cybersecurity
Hi all,
I've just been handled the responsibility for a FTP-site. Having no experiens of UNIX at all. And now one of my users needs to have full access to the usr directory and all it's subdirectories, don't know why just trying to do what the boss tells me. The type of UNIX is FreeBSD and the... (4 Replies)
Discussion started by: -tri-
4 Replies
2. UNIX for Dummies Questions & Answers
Hello All,
I just inherent a new server with RedHat AS4 and ACL file system. I'm new to ACL and was trying to dump the system for backup and got errors that the ACL inodes would not be backed up. I have tried different command for backup such as star pax but found that there is a limitation of... (2 Replies)
Discussion started by: larryase
2 Replies
3. Linux
Hi, I want to know what does the "effective" comment means in the output of the getfacl and whether it has to do with the acl mask...
thanks (0 Replies)
Discussion started by: Gartlar
0 Replies
4. Solaris
Can i get the synopsis for add multiple users in single command for ACL access for a directory or a file
thanks in advance
dinu (3 Replies)
Discussion started by: dinu
3 Replies
5. UNIX for Advanced & Expert Users
Hi
I am searching a tool like "LDAP Administrator 2011.1"/ "LDAP-SQL" but for the CLI.
Wish to use LDAP-SQL in scripts (non Windows GUI environment)
http://ldapadministrator.com/resources/english/2011.1/images/sqlquery_large.png
Softerra LDAP Administrator 2011.1 - What's New
OS is... (2 Replies)
Discussion started by: slashdotweenie
2 Replies
6. UNIX for Advanced & Expert Users
Hi Friends,
I went through the ACL threads that were posted in the past but none were matching to my requirement . Hence starting a new thread .
Challenge :
user : a
group : Test1
user: b
group: Test2
Say under user a i create dir /tmp/debug with the privilege of 755 and also... (3 Replies)
Discussion started by: leobreaker
3 Replies
7. UNIX for Dummies Questions & Answers
Hi..
Could someone explain about setfacl,getfacl in unix and its uses.
Regards,
Suresh (1 Reply)
Discussion started by: suresh sunkara
1 Replies
8. UNIX for Beginners Questions & Answers
Folks,
Solaris 10 issue
When I add a new directory to a path, I only get the "group@" line in the ACL
The parent directory ACL is
drwxrws---+ 12 root teama 12 Jul 18 10:31 .
owner@:rwxp-DaARWc---:------:allow
group@:rwxp-DaARWc--s:fd----:allow
... (0 Replies)
Discussion started by: wilberforce
0 Replies
9. UNIX for Beginners Questions & Answers
hi,
i am facing problem with acls,
as a root i logged in and applied acl for directory(dir5),by using command
setfacl -m u:user1:rwx dir5
but when i logged in as user1 i am not able to access that folder even though i applied full permission to that directory as a root.can any one help me on... (2 Replies)
Discussion started by: cmanoj489
2 Replies
10. Solaris
I have very limited knowledge on LDAP configuration and have been trying fix one issue, but unsuccessful.
The server, I am working on, is Solaris-10 zone. sudoers is configured on LDAP (its not on local server). I have access to login directly on server with root, but somehow sudo is not working... (9 Replies)
Discussion started by: solaris_1977
9 Replies
LEARN ABOUT SUNOS
delete-acl
asadmin-delete-acl(1AS) User Commands asadmin-delete-acl(1AS)
NAME
delete-acl - removes the access control list file
SYNOPSIS
delete-acl --user admin_user[--password admin_password][--host localhost] [--port 4848][--passwordfile filename][--secure|-s][--instance
instance_name] acl_ID
Gets the access control lists associated with the named server instance..
OPTIONS
--user administrative user associated for the instance.
--password administrative password corresponding to the administrative user.
--host host name of the machine hosting the administrative instance.
--port administrative port number associated with the administrative host.
--secure indicates communication with the administrative instance in secured mode.
--passwordfile file containing passwords appropriate for the command (e.g., administrative instance).
--instance name of the instance.
OPERANDS
acl_ID internal name for the ACL file listing. This ID is used in a virtual server element to define the ACL file used by
the virtual server.
Example 1: Using delete-acl
asadmin> delete-acl --user admin --password adminadmin --host fuyako --port 7070 --instance server1 sampleACL
Deleted ACL with id = sampleACL
Where: sampleACL is the ACL that is deleted.
EXIT STATUS
0 command executed successfully
1 error in executing the command
INTERFACE EQUIVALENT
Access Control List page
asadmin-create-acl(1AS), asadmin-list-acl(1AS)
J2EE 1.4 SDK March 2004 asadmin-delete-acl(1AS)