search

ltb-project / service-desk

Application for support team who need to check and reset user passwords
https://service-desk.readthedocs.io/
GNU General Public License v3.0
49 stars 19 forks source link

Question: olcAccess rights for locking/unlocking accounts #34

Closed NoxInmortus closed 3 years ago

NoxInmortus commented 3 years ago

Hello,

I made a dedicated ldap user to be used by Service-Desk with the following olcAccess :

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {1}to dn.subtree="ou=ppolicies,dc=dom" by dn="cn=bot ldap,ou=users,dc=dom" read by * break
-
add: olcAccess
olcAccess: {2}to dn.subtree="ou=users,dc=dom" attr=userPassword by dn="cn=bot ldap,ou=users,dc=dom" write by * break
-
add: olcAccess
olcAccess: {3}to dn.subtree="ou=users,dc=dom" by dn="cn=bot ldap,ou=users,dc=dom" read by * break

Everything is working well except for the locking/unlocking feature of LDAP accounts. I can't manage to get the proper access rules for that feature, if anyone could share it, I would be a happy man.

thanks

coudot commented 3 years ago

You need write access to pwdAccountLockedTime attribute

NoxInmortus commented 3 years ago

Perfect, thanks you