For userPassword "by self write" implies the ability to read as well, try "by self =xw" if you want to be able to write to userPassword without being able to view it.
On Mon, Nov 25, 2013 at 2:15 PM, Aleksander Dzierżanowski <[email protected]>wrote: > Hi. > > I have OpenLDAP 2.4.36 server grabbed from LTB project. I've noticed two > issues, can anyone confirm the same behavior? > > First - ACLs: > to dn.base="" > by users read > to dn.subtree="ou=disabledaccounts,o=examples" > by dn.base="cn=replicationmanager,o=example" read > by * none > to attrs=userPassword,shadowLastChange > by dn.base="cn=replicationmanager,o=example" read > by dn.base="cn=radiussuperuser,o=example" read > by anonymous auth > by self write > by * none > [skipping few next less important rules] > > Above ACL should NOT show user's own password, right? But it shows in my > environment.. > > Second: > PwdMinLength in password policy does not work. I can easily set shorter > password. Password policy in general works, for example it does not allow > me to change password earlier than 'pwdMinAge'. > > Best regards, > -- > Olo > >
