As I think the message had been blocked (I'm still receiving messages, but seem to be unable to send due to address mis-matching), I'm re-sending it. Please ignore if it had been delivered.
From: Windl, Ulrich Sent: Thursday, June 20, 2024 9:53 AM To: openldap-technical openldap-technical@openldap.org Subject: Accessing ppolicy attributes as non-admin in 2.4
Hi!
Yes, we are still running an old 2.4 OpenLDAP (mostly because it still has "hdb"), but anyhow:
There's a request to search for accounts where the password will expire soon according to configured ppolicies. I wrote the code, realizing that a normal user cannot read other users policy attributes, while the admin user can. As the process should run automatically, I don't want to add admin credentials for that kind of reporting. Instead I added a new user role and tried to add access to the attributes, but somehow it does not work. I think I did not make an error, but ACL configuration can be tricky.
So the question is: Can it be done in 2.4, and if so, what might be wrong in this config (lines unfolded, sorry): olcAccess: {0}to * by dn.exact="uid=syncrepl,ou=system,dc=..." read by group/organizationalRole/roleOccupant.exact="cn=LDAP-Manager,dc=roles,dc=..." write by * break olcAccess: {1}to dn.children="dc=roles,dc=..." attrs=roleOccupant by * none olcAccess: {2}to attrs=pwdAccountLockedTime,pwdAllowUserChange,pwdChangedTime,pwdCheckQuality,pwdExpireWarning,pwdFailureCountInterval,pwdGraceAuthNLimit,pwdGraceUseTime,pwdHistory,pwdInHistory,pwdLockoutDuration,pwdMaxFailure,pwdMaxRecordedFailure,pwdMinAge,pwdMinLength,pwdMustChange,pwdPolicySubentry,pwdRe\ set,pwdSafeModify,shadowExpire,shadowInactive,shadowLastChange,shadowMax,shadowMin,shadowWarning by dn.exact="uid=PP-Checker,ou=system,dc=..." read break olcAccess: {3}to attrs=userPassword,userPKCS12 by self write by * auth olcAccess: {4}to attrs=shadowLastChange by self write by * read olcAccess: {5}to attrs=pwdHistory,pwdGraceUseTime,pwdChangedTime by self read by * none olcAccess: {6}to * by * read
The account in question is ="uid=PP-Checker,ou=system,dc=..." obviously, and the "cn=LDAP-Manager,dc=roles,dc=..." can access the attributes.
The account is like this:
dn: uid=PP-Checker,ou=system,dc=... objectClass: top objectClass: account objectClass: simpleSecurityObject structuralObjectClass: account uid: PP-Checker
The Admin object looks like this:
dn: cn=LDAP-Manager,dc=roles,dc=... objectClass: organizationalRole cn: LDAP-Manager description: Administrative Access to LDAP Directory roleOccupant: uid=me-for-example,ou=people,dc=... roleOccupant: uid=another,ou=people,dc=... structuralObjectClass: organizationalRole
Any help on this is highly appreciated. If you think something else is wrong, also tell me please.
Alternatively you could give an answer on https://superuser.com/q/1844359/964771
Kind regards, Ulrich