Re: problem with olcAccess - can not change own userPassword field

To: Stefan Bauer <sb@plzk.de>
Subject: Re: problem with olcAccess - can not change own userPassword field
From: Ryan Tandy <ryan@nardis.ca>
Date: Sat, 13 Jun 2015 15:58:38 -0700
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nardis.ca; s=google; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-type:content-disposition :content-transfer-encoding:in-reply-to:user-agent; bh=wqUrnzTu2jS8wyWluIv/1GEvOMhUysGxUN5ADKm6ktU=; b=LtGJcsR+yukJO8NAmhlfBIaGV66XGT2eOSD+lfb6G9ijMyYPq6Qqv69kc5WPoRaWtC EjHTZZWHiZ4OGZqAmTwIqo+Ac5pu8RnkvqIGDK/FO8Gz/N/oUBd5dpWgtVZHd9DUSxb5 bsvUHJjew0rIYhXk0uGvpGqWXZrvFLi4igT1Y=
In-reply-to: <zarafa.55797b23.5a81.5c148f8e65d3db2e@srv1.localhost>
Mail-followup-to: Stefan Bauer <sb@plzk.de>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
References: <zarafa.55797b23.5a81.5c148f8e65d3db2e@srv1.localhost>
User-agent: Mutt/1.5.23 (2014-03-12)

On Thu, Jun 11, 2015 at 02:12:19PM +0200, Stefan Bauer wrote:

olcAccess: {0}to * by * read by * break


"by * read" matches everyone, and stops. "by * break" is never reached.

olcAccess: {1}to dn.subtree="ou=Benutzer,dc=example,dc=com" attrs=userPassword by self write by * break

This rule is never reached, because everyone is matched by "by * read"(with "stop" implicit) above.

References:
- problem with olcAccess - can not change own userPassword field
  - From: Stefan Bauer <sb@plzk.de>