(targetattr="*")(version 3.0;acl "PWM_admin";allow (all) userdn =
"ldap:///uid=pwadminuser,ou=People,dc=mycompany,dc=com";)
My 'all' is probably bad, but you only allowing 'all' might be preventing
the user from reading the directory.
-----Original Message-----
From: 389-users-bounces(a)lists.fedoraproject.org
[mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of Elizabeth Jones
Sent: Tuesday, March 05, 2013 4:23 PM
To: General discussion list for the 389 Directory server project.
Subject: Re: [389-users] using PWM with 389 DS
These are the ACIs I added based on the PWM guide -
dn: ou=People,dc=mycompany,dc=com
changetype: modify
add: aci
aci: (targetattr = "*") (target =
"ldap:///ou=People,dc=mycompany,dc=com")
(version 3.0; acl "PWM Proxy Add Users"; allow (add) (userdn =
"ldap:///cn=pwmproxy,ou=People,dc=mycompany,dc=com");)
dn: ou=People,dc=mycompany,dc=com
changetype: modify
add: aci
aci: (targetattr = "userpassword || pwmResponseSet") (version 3.0;acl "PWM
Allow self entry modification";allow (write)(userdn = "ldap:///self");)
dn: ou=People,dc=mycompany,dc=com
changetype: modify
add: aci
aci: (targetattr = "pwmGUID || pwmlastPwdUpdate || userPassword || objectClass ||
pwmEventLog") (target =
"ldap:///ou=People,dc=mycompany,dc=com") (version 3.0; acl "PWM Proxy Reset
Password"; allow (write) (userdn =
"ldap:///cn=pwmproxy,ou=People,dc=mycompany,dc=com");)
Can you post your ACIs? It really sounds like that might be the
issue.
I have PWM running against 389DS with no real trouble.
Josh
--
Joshua Ellsworth
Senior Systems Administrator
Primatics Financial
-----Original Message-----
From: 389-users-bounces(a)lists.fedoraproject.org
[mailto:389-users-bounces@lists.fedoraproject.org] On Behalf Of
Elizabeth Jones
Sent: Tuesday, March 05, 2013 12:12 PM
To: 389-users(a)lists.fedoraproject.org
Subject: [389-users] using PWM with 389 DS
I was wondering if anyone here has integrated PWM into your 389 DS and
might be able to help me out.
We want to use PWM just for allowing users to change their passwords.
I followed the documentation that is here
https://docs.google.com/document/d/1I9u1xaVrIOTFj8Le7uzCM5zGqrODCi9Udo
2gGZyAapc/edit?pli=1#heading=h.rvkap1ozsaom
to add the users and aci's that PWM needs, following the directions in
the doc (except that I had to change from replace to add to the aci
section or it wiped out our existing acis).
Following this doc, I added users pwmproxy and pwmtest to
People,mycompany,com
Using PWM, I can access the pwmproxy and pwmtest users at the People
level and change their passwords. I can also add additional
test/generic users at this level (People, mycompany, com)and access
those using pwm. But if I try to access any of our existing users IDs that are below
People, i.e.
internal,people,company,com
external,people,company,com
PWM says it can't find those users.
Any thoughts on what else I might need to do to get to those users?
thanks
EJ
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
Email Disclaimer: This email and any files transmitted with it may be
confidential, legally privileged and are intended solely for the use
of the individual(s) or entity to whom they are addressed. If you are
not the intended recipient, you are hereby notified that any use,
sharing, dissemination, or reproduction of information contained in
the email is strictly prohibited and may be unlawful. If you are not
the intended recipient, please notify the sender by return email that
you have received this email in error and destroy all copies of the original message.
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
Email Disclaimer: This email and any files transmitted with it may be confidential,
legally privileged and are intended solely for the use of the individual(s) or entity to
whom they are addressed. If you are not the intended recipient, you are hereby notified
that any use, sharing, dissemination, or reproduction of information contained in the
email is strictly prohibited and may be unlawful. If you are not the intended recipient,
please notify the sender by return email that you have received this email in error and
destroy all copies of the original message.