What I had forgotten to add:

This is the first ACL that tried to assign right to an object in one database to an object in another database for me.

So:

Is it possible at all?
If it’s possible, do I have to place the ACL in the database where the subject (WHO> is, or where the object (WHAT) is?

From: Windl, Ulrich
Sent: Thursday, July 4, 2024 8:46 AM
To: 'Windl, Ulrich' <u.windl@ukr.de>; openldap-technical <openldap-technical@openldap.org>
Subject: RE: Querying the default password policy

Hi!

Next step:

After finding the the attribute name olcPPolicyDefault I tried to set up an ACL, but my first attempt ended in

ldap_modify: Other (e.g., implementation specific) error (80)

additional info: <olcAccess> handler exited with 1

So I’m unsure: is it possible to define an ACL that grants access to one database (i.e. “config”) for an object on another database (e.g. some user)?

What I tried to add was

olcAccess: {1}to filter=&(objectClass=olcPPolicyConfig)(olcPPolicyDefault=*) attrs=olcPPolicyDefault by dn.exact="uid=PP-Checker,ou=system,dc=context" read by * break

(it’s the first time I tried an LDAP filter in an ACL, because I did not find a better ways to restrict the ACL to the intended entries)

So any advice is welcome!

Kind regards,

Ulrich

From: Windl, Ulrich <u.windl@ukr.de>
Sent: Monday, July 1, 2024 10:46 AM
To: openldap-technical <openldap-technical@openldap.org>
Subject: [EXT] Querying the default password policy

Hi!

I just discovered a problem (reading “man slapo-ppolicy” in old 2.4 OpenLDAP):

It seems one can configure a “default policy”, but it cannot be queried.

At least https://serverfault.com/a/644658/407952 suggests that, and after reading “man slapo-ppolicy” I did not find something different.

Why isn’t there some “olc” attribute for it?

So far we did not set the default policy, but assigned one to each user.

However I wanted to write a utility that would evaluate the changes if a default password policy were added.

For obvious reasons I don’t want to hard-code the policy name into the utility, and the utility may run on any server, not just LDAP-Servers to query them.

However digging in the configs, I found in dn: olcOverlay={2}ppolicy,olcDatabase={1}hdb,cn=config the attribute “olcPPolicyDefault”, wondering why it isn’t documented.

So far, so good, but how would an ACL allowing to read that attribute look like? It seems I cannot specify that specific attribute within the olcPPolicyConfig object class within the corresponding cn=config subtree:

I can allow access to the attribute name globally, or to all attributes of the object class, and “attrstyle” can only be used for a specific value.

So how should I allow access to that attribute for my special user running the utility?

Kind regards,

Ulrich