PHP ldap_modify Insufficient access

Question

I am getting insufficient access errors using ldap_modify with OpenLDAP 2.4.32 and PHP 5.4.6.

The php function that is giving the errors looks like this:

function set_user($dn, $password, $data)
{
  /* This function sets the users infomation */

  // Get Configuration Items
  $ldapServer = $this->config->item('ldapServer');
  $ldapDCRoot = $this->config->item('ldapDCRoot');


  // Connect to LDAP
  $ldapConnection = ldap_connect($ldapServer);

  if($ldapConnection)
  {
    $r = ldap_bind($ldapConnection, $dn, $password);
    if ($r)
    {
      // Bind completed successfully
      $r = ldap_modify($ldapConnection, $dn, $data);
      return True;
    }
    die("Unsuccessful Bind");
  }
  die("Can't connect to LDAP");
}

The $dn is the full DN of the user trying to change their information along with their password. And $data is the values that they are updating, right now data just contains the phone number to change $data['mobile'] = "newPhoneNumber". This all appears to be working except for the fact the the data is never actually written.

The openldap file is included below as you can see the ACL says that I should be able to write to it.

include     /etc/openldap/schema/corba.schema
include     /etc/openldap/schema/core.schema
include     /etc/openldap/schema/cosine.schema
include     /etc/openldap/schema/duaconf.schema
include     /etc/openldap/schema/dyngroup.schema
include     /etc/openldap/schema/inetorgperson.schema
include     /etc/openldap/schema/java.schema
include     /etc/openldap/schema/misc.schema
include     /etc/openldap/schema/nis.schema
include     /etc/openldap/schema/openldap.schema
include     /etc/openldap/schema/ppolicy.schema
include     /etc/openldap/schema/collective.schema

allow bind_v2

pidfile     /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args

TLSCertificateFile /etc/pki/tls/certs/slapd.pem
TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem

access to *
    by self write
    by users read
    by anonymous auth


database    bdb
suffix      "dc=example,dc=com"
checkpoint  1024 15
rootdn      "cn=manager,dc=example,dc=com"
rootpw          REDACTED

directory   /var/lib/ldap

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

The question is why can't PHP update the value and instead is getting a insufficient access error?

Answer 1

To debug your issue, I'd suggest using the command line tool ldapmodify to make the same request. You may need to install it to your system (Redhat openldap-clients, Debian slapd).

LDAP Utilities

By setting the debugging level -d you can hopefully get more information than what the php library is providing about why your call is returning the insufficient access error.

While I have never had to do this with ldapmodify, I have used it with ldapsearch with great success. So it may take some searching or ldapmodify --help to figure out how to use it.

I imagine the command would look something like this:

ldapmodify -d 7 -h ldap.server.com -D bind_dn -w bind_password -f /tmp/entrymods