Hi,

There is a userPassword attribute access in slapd.conf

access to attrs=userPassword
       by self write
       by dn.base="cn=mirrormode,dc=rnd,dc=com" read
       by dn.base="cn=binduser,dc=rnd,dc=com" read
       by * auth

This user has been assigned with different ppolicy and all other users are assigned default ppolicy

The issue is resolved after setting pwdAllowUserChange attribute to TRUE in ppolicy

You might want to rethink this – you are exposing users passwords to everyone

I am curious about your view on exposing users passwords to everyone, please let me know which part of my ACL you see it.



Thanks & Regards
Raj



From:        Craig White <CWhite@skytouchtechnology.com>
To:        "Borresen, John - 0444 - MITLL" <John.Borresen@ll.mit.edu>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Date:        12/23/2015 10:58 PM
Subject:        RE: Issue while changing user password by self
Sent by:        "openldap-technical" <openldap-technical-bounces@openldap.org>




From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Borresen, John - 0444 - MITLL
Sent: Wednesday, December 23, 2015 10:13 AM
To: openldap-technical@openldap.org
Subject: RE: Issue while changing user password by self
 
Hello,
 
My users are allowed to modify their own passwords.  My ACL is set like this:
 
olcAccess:           {0} to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn.exact=”cn=admin,dc=group,dc=ldap” write by * none
olcAccess:           {1} to * by * read
 
Though not the perfect configuration but it works.   In yours, I don’t see the userPassword attribute.

You might want to rethink this – you are exposing users passwords to everyone

=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you