[Date Prev][Date Next]
Re: Password Access Control does not work as expected
>> access to attr=userPassword
>> by group="cn=admin,base_dn" write
>> by group="cn=maintainer,base_dn" write
>> by self write
>> by anonymous auth
>> by * none stop
>> To my surprise the admin and maintainer users are able to _read_ the
>> userPassword attribute. I expect that users are able to authenticate
>> and to
>> set the password but nobody is allowed to read the password.
>It's not an issue, it's just the way it works. Higher privilege levels
>*include* all lower levels. So "write" automatically includes "read"
Which is why SASL is such a good idea.