[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Password Access Control does not work as expected

> Hi,
> I am putting the following as the first entry in slapd.conf:
> access to attr=userPassword
>         by group="cn=admin,base_dn" write
>         by group="cn=maintainer,base_dn" write
>         by self write
>         by anonymous auth
>         by * none stop
> To my surprise the admin and maintainer users are able to _read_ the
> userPassword attribute. I expect that users are able to authenticate and
> to  set the password but nobody is allowed to read the password.
> (Tested with multiple versions of OpenLDAP incl. 2.1.12)
> Is this a known issue?

yes, it's called RTMF in general, and ACL "level" in detail; a "level"
implies all the "level"s below, and it's been like this (and thoroughly
documented) since UMich's ldap-3.3 (the first one I happened to use ages
ago).  What you want to do is perfectly documented as well in
slapd.access(5), and it's called "privilege"; a "privilege" is a specific
access mode, which can be set to <write-privilege> and <auth-privilege>
only.  See slapd.access(5) for details on how to use privileges instead of


Pierangelo Masarati