Hi,

There is a userPassword attribute access in slapd.conf

access to attrs=userPassword 
       by self write 
       by dn.base="cn=mirrormode,dc=rnd,dc=com" read 
       by dn.base="cn=binduser,dc=rnd,dc=com" read 
       by * auth 

This user has been assigned with different ppolicy and all other users are 
assigned default ppolicy 

The issue is resolved after setting pwdAllowUserChange attribute to TRUE 
in ppolicy 

You might want to rethink this – you are exposing users passwords to 
everyone

I am curious about your view on exposing users passwords to everyone, 
please let me know which part of my ACL you see it.


Thanks & Regards
Raj



From:   Craig White <[email protected]>
To:     "Borresen, John - 0444 - MITLL" <[email protected]>, 
"[email protected]" <[email protected]>
Date:   12/23/2015 10:58 PM
Subject:        RE: Issue while changing user password by self
Sent by:        "openldap-technical" 
<[email protected]>



From: openldap-technical [mailto:[email protected]] 
On Behalf Of Borresen, John - 0444 - MITLL
Sent: Wednesday, December 23, 2015 10:13 AM
To: [email protected]
Subject: RE: Issue while changing user password by self
 
Hello,
 
My users are allowed to modify their own passwords.  My ACL is set like 
this:
 
olcAccess:           {0} to attrs=userPassword,shadowLastChange by self 
write by anonymous auth by dn.exact=”cn=admin,dc=group,dc=ldap” write by * 
none
olcAccess:           {1} to * by * read
 
Though not the perfect configuration but it works.   In yours, I don’t see 
the userPassword attribute.
You might want to rethink this – you are exposing users passwords to 
everyone

=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you


Reply via email to