[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Password Access Control does not work as expected

>> access to attr=userPassword
>>         by group="cn=admin,base_dn" write
>>         by group="cn=maintainer,base_dn" write
>>         by self write
>>         by anonymous auth
>>         by * none stop
>> To my surprise the admin and maintainer users are able to _read_ the
>> userPassword attribute. I expect that users are able to authenticate
>> and to
>> set the password but nobody is allowed to read the password.

>It's not an issue, it's just the way it works. Higher privilege levels
>*include* all lower levels. So "write" automatically includes "read"
>and "auth".

Which is why SASL is such a good idea.