On 6/21/19 3:52 PM, Quanah Gibson-Mount wrote:Generally, if you want to restrict access to pwdHistory, you would do something like: access to attrs=pwdHistory by self write by *noneMaking pwdHistory writeable by user him/herself is almost a security issue. User would additionally need manage privilege to really remove the attribute but still the above ACL is not good practice.
Sure, it's a theoretical example. As I also noted already in my reply:"The "self write" is likely unnecessary since it's an overlay that manages (slapo-ppolicy). I would note that if some other ACL takes precedence over this ACL (since you've failed to list all of them), it won't get applied."
-- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>