Re: ACL and Password Policy

[Michael Proto <michael.proto@tstllc.net>]

For userPassword "by self write" implies the ability to read as well, try "by self =xw" if you want to be able to write to userPassword without being able to view it.

On Mon, Nov 25, 2013 at 2:15 PM, Aleksander DzierÅanowski <olo@e-lista.pl> wrote:

Hi.

I have OpenLDAP 2.4.36 server grabbed from LTB project. Iâve noticed two issues, can anyone confirm the same behavior?

First - ACLs:
to dn.base=""
    by users read
to dn.subtree="ou=disabledaccounts,o=examples"
    by dn.base="cn=replicationmanager,o=example" read
    by * none
to attrs=userPassword,shadowLastChange
    by dn.base="cn=replicationmanager,o=example" read
    by dn.base=âcn=radiussuperuser,o=example" read
    by anonymous auth
    by self write
    by * none
[skipping few next less important rules]

Above ACL should NOT show userâs own password, right? But it shows in my environment..

Second:
PwdMinLength in password policy does not work. I can easily set shorter password. Password policy in general works, for example it does not allow me to change password earlier than âpwdMinAgeâ.

Best regards,
â
Olo