...(and I did refrain from typing openLCRAP).

Having spent another day and a half fighting what I thought I had fixed... here's more.

The sequence is critical in the ACL. From what I've read:
a) the first match takes it, so whatever it hits first is
  what's in effect.
b) when you're coming in, first you need the ability to
  read with anonymous authority, so that you can look
  up who you are, so that you can give it your password,
  so you can be authorized to change your password.

Got that? Make sense? Not to me, either. AND they don't give you a default ACL that lets users change their own passwords (and why is that?)

So, I had to change to

access to *         # all attributes
    by * read     # anybody can read it
    by self write  # only you can write
    by anonymous auth  # but you come in to start with
                  # anon authority

access: to attrs=shadowLastChange,userPassword
    by self write
    by anonymous auth

Geez, what crap. And before someone stands up for it, here's how I would do it:
<I'm coming in>
 <do I know your name?>
    no) can you do what you want with anon authority?
        yes) [ok, let's do what you want]
         no) go away, boy, ya bother me.
   yes) <ok, do you need a password? [process] yep
      <prompt for password>
      <password ok?>
          yes) [ok, let's do what you want]
          no) <are we tired?>
             yes) go away, boy, ya bother me.
             no) loop to prompt till we get tired
<done>

And what idiot leads you through the process, and *then* looks to see if you're authorized (ldappasswd, interactive)?

    mark

--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@(protected)
https://www.redhat.com/mailman/listinfo/redhat-list