John Lewis wrote:
> How is this?
>
> olcAccess: {0}to * by
> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage
> by * break
> olcAccess: {1}to dn.base="" by * read
> olcAccess: {2}to attrs=userPassword,shadowLastChange by self write by
> anonymous auth by * none
> olcAccess: {3}to * by * read
Slightly better. But the user (self) can still circumvent shadowUser's legacy
password expiry by setting attribute 'shadowLastChange'. Well, that's an
obsolete feature anyway and shadowAccount should not be used nowadays.
In general when crafting ACLs you should have a test plan or even better
automated testing which should also cover the cases which should *not* be
possible. Starting with writing down access control requirements before is
highly recommended too.
Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature