[Date Prev][Date Next]
Re: Password Access Control does not work as expected
> I am putting the following as the first entry in slapd.conf:
> access to attr=userPassword
> by group="cn=admin,base_dn" write
> by group="cn=maintainer,base_dn" write
> by self write
> by anonymous auth
> by * none stop
> To my surprise the admin and maintainer users are able to _read_ the
> userPassword attribute. I expect that users are able to authenticate and
> to set the password but nobody is allowed to read the password.
> (Tested with multiple versions of OpenLDAP incl. 2.1.12)
> Is this a known issue?
yes, it's called RTMF in general, and ACL "level" in detail; a "level"
implies all the "level"s below, and it's been like this (and thoroughly
documented) since UMich's ldap-3.3 (the first one I happened to use ages
ago). What you want to do is perfectly documented as well in
slapd.access(5), and it's called "privilege"; a "privilege" is a specific
access mode, which can be set to <write-privilege> and <auth-privilege>
only. See slapd.access(5) for details on how to use privileges instead of