Hi,
I've been through google and the man pages - no avail. If anyone can help, I'd be very grateful :)
slapd.conf acl:
access to attrs=userPassword by peername.path="/var/run/slapd/ldapi" manage by dn="cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" manage by self write by * auth
This allows ldappasswd to work, but of course, it also allows anybody to issue an ldapmodify against their own record and store a weak hash (eg {crypt} ) or worse, bypass my check_password plugin policy enforcer.
Removing the "self write" line kills ldapmodify, but also seems to break the password modify exop issues by ldappasswd.
So - how do I allow ldappasswd to work (which respects the policies and allows the server to hash the password using its default hash - SSHA1 in my case) whilst disallowing *direct* modify access to the userPassword: entry?
Answers on a postcard, or a wet herring as appropriate :-|
Many thanks!
Tim