Hi
Sorry, I have to use Outlook that seems unable to support quoting a message for replying, so I top-post:
Why hdb? So far it worked fine for us, and mdb seems to need much more space in RAM and on disk.
" Which attribute(s) does it need to read?" Everything needed to examine the status of the account (change of password, policy, policiy's settings)
So my ACLs are not correct it seems.
What I don't understand is this: The manual says about break: "... while the break form allows for other <access> clauses that match the same target to be processed.", so I thought using break WILL allow the following clauses to be processed, while you seem to tell the opposite.
As I understand my ACLs is this: #0 allows read for replication #1: prevents the admin users to be read from roleOccupant #2: allows reading pp attributes for the checker account, and using "break" should mean to continue checking other rules #3 should allow users to change the password and certificate, as well as authenticate (not quite sure about that) #4 should allow the user to set shadowLastChange (unsure whether it's needed) while allowing others to read that (unsure whether it's a good idea, though) #5 should allow to read some password attributes by self (assuming it's needed to allow the OS to warn about expiry) #6 allows to read the rest
I'm not sure which attributes should be allowed for reading and writing to the specific user (self) to allow the OS to interact with password policy (and shadow attributes) correctly, meaning to display a warning that the password is about to expire, that grace logins are being used, that the account is (temporarily) locked, etc.
Pointers to any docs are appreciated.
Regards, Ulrich
-----Original Message----- From: Quanah Gibson-Mount quanah@fast-mail.org Sent: Thursday, June 20, 2024 8:55 PM To: Windl, Ulrich u.windl@ukr.de; openldap-technical openldap-technical@openldap.org Subject: [EXT] Re: FW: Accessing ppolicy attributes as non-admin in 2.4
--On Thursday, June 20, 2024 11:50 AM +0000 "Windl, Ulrich" u.windl@ukr.de wrote:
Yes, we are still running an old 2.4 OpenLDAP (mostly because it still has "hdb"), but anyhow:
Why would one want to use an inferior, unreliable database subject to random corruption?
Instead I added a new user role and tried to add access to the attributes, but somehow it does not work.
Which attribute(s) does it need to read?
olcAccess: {2}to attrs=pwdAccountLockedTime,pwdAllowUserChange,pwdChangedTime,pwdCheckQual ity,pwdExpireWarning,pwdFailureCountInterval,pwdGraceAuthNLimit,pwdGraceU seTime,pwdHistory,pwdInHistory,pwdLockoutDuration,pwdMaxFailure,pwdMaxRec ordedFailure,pwdMinAge,pwdMinLength,pwdMustChange,pwdPolicySubentry,pwdRe \
set,pwdSafeModify,shadowExpire,shadowInactive,shadowLastChange,shadowMax, shadowMin,shadowWarning by dn.exact="uid=PP-Checker,ou=system,dc=…" read break
So you give your user read access to those attributes, except..
olcAccess: {5}to attrs=pwdHistory,pwdGraceUseTime,pwdChangedTime by self read by * none
You remove its ability to read these 3 attributes here (due to your use of "read break" in {2}.
I assume it needs read access to pwdChangedTime.
Maybe you meant in {2}:
attrs... by (your user) read by * read break? Or something along those lines, mabye you meant by (your user) read by * break. Hard to tell.
--Quanah