The issue I have is in the role(s) and/or access on the LDAP server. I added the Password Modify Extended Operation - ACI to our Sun Directory Server (Version 7.0) a while ago and the roledn specified (cn=Password Managers,...) is clearly not right. I need to specify the role so that a user can change their own password only. What role would allow that? How do I specify it?
The server is Solaris 10. I am including the information on the OID below and below that the python program that I am trying to use and the result from that program. I borrowed heavily from the code in this post here on stack.
In my LDAP Server I find:
Properties of the selected Access Control Instruction
Required Field ACI Syntax:
(targetattr != "aci")(version 3.0; acl "Password Modify Extended Operation ";
allow( read, search, compare, proxy )
(roledn = " ldap:///cn=Password Managers,dc=example,dc=com" and authmethod = "SSL");)
Entry where the ACI is located:
oid=1.3.6.1.4.1.4203.1.11.1,cn=features,cn=config
I am working on a python 3.5 program to change user passwords. Here is the code so far:
import ldap3
import ssl
SERVER='ds2.example.com'
BASEDN = 'dc=channing,dc=example,dc=com'
USER = 'saltz'
SEARCHFILTER = '(uid=' + USER + ')'
CURRENTPWD="something"
NEWPWD="somethingelse"
user='uid=saltz,ou=People,dc=channing,dc=example,dc=com'
ldap_server = ldap3.Server(SERVER, port = 636, use_ssl = True,
get_info=ldap3.ALL)
conn = ldap3.Connection(ldap_server, user, CURRENTPWD, auto_bind=True)
modify = ldap3.extend.standard.modifyPassword.ModifyPassword(conn,
user, NEWPWD, CURRENTPWD, controls=None)
resp = modify.send()
print(modify.result)
This is the result I got when I ran the above code:
{'result': 50, 'description': 'insufficientAccessRights', 'dn': '',
'message': 'Access to feature "oid=1.3.6.1.4.1.4203.1.11.1,cn=features,cn=config" denied.',
'referrals': None, 'responseName': None, 'responseValue': None,
'type': 'extendedResp', 'new_password': None}
Thanks for your help.
