Current versions of slapd(8) requires that clients have authentication permission to attribute types used for authentication purposes before accessing them to perform the bind operation. As all bind operations are done
anonymously (regardless of previous bind succuss), the auth
access must be granted to anonymous.
In the example ACL below grants the following access:
All other access is denied.
- to anonymous users:
- permission to authenticate using values of
- to authenticated users:
- permission to update (but not read) their userPassword
- permission to read any object excepting values of userPassword
access to attr=userpassword
by self =w
by anonymous auth
by self write
by users read