Re: Re: ACL and Password Policy

To: mahao_boy <mahao_boy@163.com>

Subject: Re: Re: ACL and Password Policy

From: Esteban Pereira <esteban.pereira@gepsit.fr>

Date: Tue, 26 Nov 2013 09:59:02 +0100

Cc: Aleksander Dzierżanowski <olo@e-lista.pl>, Michael Proto <michael.proto@tstllc.net>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=LdC8o7pzbXS+J4C91U7BVFR2r+N0/8ZoxxEJ2EVRYkQ=; b=hm0q5L+aeRJ+8SzNhgTPV2CcB6mvlSbA5F64s0qPqAKNqsHG2s9fapAEMV+YxFjwdV stnwUO9M+UV7TdmDoiydv9mPr/H9xZt12/PZlWB248/kksQ8k4AGE3KDMS4z6r3XFXMv zxe9qMJpMLAvIeTYV2p0rKfJF7fMNilfEYkqjc3yUdOxbQL823K/TZEFbHCkoslhkN4k 0AcjmwZnS4RUaJYO9GZdEh5qYGOhKgtAdERF0wYZyHtsJsws89x0gUYYbIE5xA8Agqg+ zxcq2HwtInDr8bOI41y7O5fm2d+RLXGJDS2GbMD7aApVaMpGugbQMku0XyywTqmsw2yn +GhA==

In-reply-to: <39f64b3f.21704.142936ea609.Coremail.mahao_boy@163.com>

References: <AAE2F05D-6B9E-4DB1-B933-4DC94B88F371@e-lista.pl> <CABbu4yZ94UnRdtkHAcYXJj7E_jL5i-o08KSiUqCSvduLiyGRYw@mail.gmail.com> <39f64b3f.21704.142936ea609.Coremail.mahao_boy@163.com>

For the first question, Michael already answer you

For the second, could you give us more information, for example, how do you modify the password. I don't think so, but to remove any doubt, do you modify the password with a ldapmodify request on the userpassword? or with the extended operation to modify password which will follow the ppolicy constraints (which ldapmodify don't take into account)

On Tue, Nov 26, 2013 at 9:02 AM, mahao_boy <mahao_boy@163.com> wrote:

REMOVE ME

At 2013-11-26 03:47:27,"MichaelÂProto"Â<michael.proto@tstllc.net> wrote:

For userPassword "by self write" implies the ability to read as well, try "by self =xw" if you want to be able to write to userPassword without being able to view it.

On Mon, Nov 25, 2013 at 2:15 PM, Aleksander DzierÅanowski <olo@e-lista.pl> wrote:
Hi.

I have OpenLDAP 2.4.36 server grabbed from LTB project. Iâve noticed two issues, can anyone confirm the same behavior?

First - ACLs:
to dn.base=""
Â Â Â Â by users read
to dn.subtree="ou=disabledaccounts,o=examples"
Â Â Â Â by dn.base="cn=replicationmanager,o=example" read
Â Â Â Â by * none
to attrs=userPassword,shadowLastChange
Â Â Â Â by dn.base="cn=replicationmanager,o=example" read
Â Â Â Â by dn.base=âcn=radiussuperuser,o=example" read
Â Â Â Â by anonymous auth
Â Â Â Â by self write
Â Â Â Â by * none
[skipping few next less important rules]

Above ACL should NOT show userâs own password, right? But it shows in my environment..

Second:
PwdMinLength in password policy does not work. I can easily set shorter password. Password policy in general works, for example it does not allow me to change password earlier than âpwdMinAgeâ.

Best regards,
â
Olo

Follow-Ups:

Re: Re: ACL and Password Policy
- From: Clément OUDOT <clem.oudot@gmail.com>
Re: ACL and Password Policy
- From: Aleksander DzierÅanowski <olo@e-lista.pl>

References:

ACL and Password Policy
- From: Aleksander DzierÅanowski <olo@e-lista.pl>
Re: ACL and Password Policy
- From: Michael Proto <michael.proto@tstllc.net>
Re:Re: ACL and Password Policy
- From: mahao_boy <mahao_boy@163.com>