Thierry Lacoste wrote:

When I put my server in readonly mode I still can change passwords with ldappasswd. Is this expected?

Hmm, personally I wouldn't expect this since I'd assume the "Password Modify Extended Operation" is a write operation. So you should file an ITS for that particular case.

This raises an interesting question on what read-only mode really means. There are other situations where LDAP operations which are not considered write operations cause attribute values to be changed, e.g. when having password policy with a retry counter and the client sends a wrong password in a bind request.

Seems to me one should really carefully consider when and why to use read-only mode of slapd.

Ciao, Michael.