Hi,
There is a userPassword attribute access in slapd.conf
access to attrs=userPassword by self write by dn.base="cn=mirrormode,dc=rnd,dc=com" read by dn.base="cn=binduser,dc=rnd,dc=com" read by * auth
This user has been assigned with different ppolicy and all other users are assigned default ppolicy
The issue is resolved after setting pwdAllowUserChange attribute to TRUE in ppolicy
You might want to rethink this – you are exposing users passwords to everyone
I am curious about your view on exposing users passwords to everyone, please let me know which part of my ACL you see it.
Thanks & Regards Raj
From: Craig White CWhite@skytouchtechnology.com To: "Borresen, John - 0444 - MITLL" John.Borresen@ll.mit.edu, "openldap-technical@openldap.org" openldap-technical@openldap.org Date: 12/23/2015 10:58 PM Subject: RE: Issue while changing user password by self Sent by: "openldap-technical" openldap-technical-bounces@openldap.org
From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Borresen, John - 0444 - MITLL Sent: Wednesday, December 23, 2015 10:13 AM To: openldap-technical@openldap.org Subject: RE: Issue while changing user password by self
Hello,
My users are allowed to modify their own passwords. My ACL is set like this:
olcAccess: {0} to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn.exact=”cn=admin,dc=group,dc=ldap” write by * none olcAccess: {1} to * by * read
Though not the perfect configuration but it works. In yours, I don’t see the userPassword attribute. You might want to rethink this – you are exposing users passwords to everyone
=====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you