Full_Name: Thomas Quinot Version: slapd 2.X (Nov 22 2017 11:39:03) OS: Linux URL: ftp://ftp.openldap.org/incoming/quinot-171122.diff Submission from: (NULL) (2a02:2ab8:224:1:36e6:d7ff:fe09:66dd) If a tight ACL is globally defined for userPassword: access to attrs=userPassword by dn="cn=Manager,o=Local" write by self write by anonymous auth and there is a virtual naming context implemented using a relay backend with rwm overlay: database @BACKEND@ suffix "dc=example,dc=com" [...] database relay suffix o=OtherExample,c=US relay dc=example,dc=com overlay rwm rwm-suffixmassage "dc=example,dc=com" then an end-user's attempt to update her own password will fail with: err=53 text=unwilling to verify old password because at some point we attempt to apply the above ACL to the original (virtual) DN, but considering the resolved (real) DN for the user: 5a1553ea => acl_mask: access to entry "cn=Ursula Hampster,ou=Alumni Association,ou=People,o=OtherExample,c=US", attr "userPassword" requested 5a1553ea => acl_mask: to value by "cn=ursula hampster,ou=alumni association,ou=people,dc=example,dc=com", (=0)
Fixed in master In general everything was working as documented in slapd-relay(5). But ACLs by "self" would never work due to the target entries having virtual DNs while the connection is always authenticated as the real DN.
Commits: • 81076a7f by Howard Chu at 2021-07-20T19:27:45+01:00 ITS#8775 for passwordMod, pass real DN thru