As I think the message had been blocked (I’m still receiving messages, but seem to be unable to send due to address mis-matching), I’m re-sending it. Please ignore if it had been delivered.

 

From: Windl, Ulrich
Sent: Thursday, June 20, 2024 9:53 AM
To: openldap-technical <openldap-technical@openldap.org>
Subject: Accessing ppolicy attributes as non-admin in 2.4

 

Hi!

 

Yes, we are still running an old 2.4 OpenLDAP (mostly because it still has “hdb”), but anyhow:

 

There’s a request to search for accounts where the password will expire soon according to configured ppolicies.

I wrote the code, realizing that a normal user cannot read other users policy attributes, while the admin user can.

As the process should run automatically, I don’t want to add admin credentials for that kind of reporting.

Instead I added a new user role and tried to add access to the attributes, but somehow it does not work.

I think I did not make an error, but ACL configuration can be tricky.

 

So the question is: Can it be done in 2.4, and if so, what might be wrong in this config (lines unfolded, sorry):

olcAccess: {0}to * by dn.exact="uid=syncrepl,ou=system,dc=…" read by group/organizationalRole/roleOccupant.exact="cn=LDAP-Manager,dc=roles,dc=…" write by * break

olcAccess: {1}to dn.children="dc=roles,dc=…" attrs=roleOccupant by * none

olcAccess: {2}to attrs=pwdAccountLockedTime,pwdAllowUserChange,pwdChangedTime,pwdCheckQuality,pwdExpireWarning,pwdFailureCountInterval,pwdGraceAuthNLimit,pwdGraceUseTime,pwdHistory,pwdInHistory,pwdLockoutDuration,pwdMaxFailure,pwdMaxRecordedFailure,pwdMinAge,pwdMinLength,pwdMustChange,pwdPolicySubentry,pwdRe\

set,pwdSafeModify,shadowExpire,shadowInactive,shadowLastChange,shadowMax,shadowMin,shadowWarning by dn.exact="uid=PP-Checker,ou=system,dc=…" read break

olcAccess: {3}to attrs=userPassword,userPKCS12 by self write by * auth

olcAccess: {4}to attrs=shadowLastChange by self write by * read

olcAccess: {5}to attrs=pwdHistory,pwdGraceUseTime,pwdChangedTime by self read by * none

olcAccess: {6}to * by * read

 

The account in question is ="uid=PP-Checker,ou=system,dc=…" obviously, and the "cn=LDAP-Manager,dc=roles,dc=…" can access the attributes.

 

The account is like this:

 

dn: uid=PP-Checker,ou=system,dc=…

objectClass: top

objectClass: account

objectClass: simpleSecurityObject

structuralObjectClass: account

uid: PP-Checker

 

The Admin object looks like this:

 

dn: cn=LDAP-Manager,dc=roles,dc=…

objectClass: organizationalRole

cn: LDAP-Manager

description: Administrative Access to LDAP Directory

roleOccupant: uid=me-for-example,ou=people,dc=…

roleOccupant: uid=another,ou=people,dc=…

structuralObjectClass: organizationalRole

 

Any help on this is highly appreciated. If you think something else is wrong, also tell me please.

 

Alternatively you could give an answer on https://superuser.com/q/1844359/964771

 

Kind regards,

Ulrich