Full_Name: Thomas Quinot Version: slapd 2.X (Nov 22 2017 11:39:03) OS: Linux URL: ftp://ftp.openldap.org/incoming/quinot-171122.diff Submission from: (NULL) (2a02:2ab8:224:1:36e6:d7ff:fe09:66dd)

If a tight ACL is globally defined for userPassword:

access to attrs=userPassword by dn="cn=Manager,o=Local" write by self write by anonymous auth

and there is a virtual naming context implemented using a relay backend with rwm overlay:

database @BACKEND@ suffix "dc=example,dc=com" [...] database relay suffix o=OtherExample,c=US relay dc=example,dc=com overlay rwm rwm-suffixmassage "dc=example,dc=com"

then an end-user's attempt to update her own password will fail with: err=53 text=unwilling to verify old password

because at some point we attempt to apply the above ACL to the original (virtual) DN, but considering the resolved (real) DN for the user:

5a1553ea => acl_mask: access to entry "cn=Ursula Hampster,ou=Alumni Association,ou=People,o=OtherExample,c=US", attr "userPassword" requested 5a1553ea => acl_mask: to value by "cn=ursula hampster,ou=alumni association,ou=people,dc=example,dc=com", (=0)