REMOVE ME At 2013-11-26 03:47:27,"Michael Proto" <[email protected]> wrote:
For userPassword "by self write" implies the ability to read as well, try "by self =xw" if you want to be able to write to userPassword without being able to view it. On Mon, Nov 25, 2013 at 2:15 PM, Aleksander Dzierżanowski <[email protected]> wrote: Hi. I have OpenLDAP 2.4.36 server grabbed from LTB project. I’ve noticed two issues, can anyone confirm the same behavior? First - ACLs: to dn.base="" by users read to dn.subtree="ou=disabledaccounts,o=examples" by dn.base="cn=replicationmanager,o=example" read by * none to attrs=userPassword,shadowLastChange by dn.base="cn=replicationmanager,o=example" read by dn.base=„cn=radiussuperuser,o=example" read by anonymous auth by self write by * none [skipping few next less important rules] Above ACL should NOT show user’s own password, right? But it shows in my environment.. Second: PwdMinLength in password policy does not work. I can easily set shorter password. Password policy in general works, for example it does not allow me to change password earlier than ‚pwdMinAge’. Best regards, — Olo
