John Lewis wrote: > How is this? > > olcAccess: {0}to * by > dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage > by * break > olcAccess: {1}to dn.base="" by * read > olcAccess: {2}to attrs=userPassword,shadowLastChange by self write by > anonymous auth by * none > olcAccess: {3}to * by * read Slightly better. But the user (self) can still circumvent shadowUser's legacy password expiry by setting attribute 'shadowLastChange'. Well, that's an obsolete feature anyway and shadowAccount should not be used nowadays. In general when crafting ACLs you should have a test plan or even better automated testing which should also cover the cases which should *not* be possible. Starting with writing down access control requirements before is highly recommended too. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature