Hi,
I am putting the following as the first entry in slapd.conf:
access to attr=userPassword by group="cn=admin,base_dn" write by group="cn=maintainer,base_dn" write by self write by anonymous auth by * none stop
To my surprise the admin and maintainer users are able to _read_ the userPassword attribute. I expect that users are able to authenticate and to set the password but nobody is allowed to read the password.
(Tested with multiple versions of OpenLDAP incl. 2.1.12)
Is this a known issue?
See man slapd.access
write includes all other privileges. you probably want =wx
Yours Stephan Siano
-- ---------------------------------------------------------------------- Dr. Stephan Siano, Consultant SUSE LINUX AG, Mergenthalerallee 45-47, D-65760 Eschborn T: +49 (0) 6196 5095131 F: +49 (0) 6196 409607 - stephan.siano@suse.com ----------------------------------------------------------------------