--On Thursday, June 20, 2024 11:50 AM +0000 "Windl, Ulrich" u.windl@ukr.de wrote:
Yes, we are still running an old 2.4 OpenLDAP (mostly because it still has "hdb"), but anyhow:
Why would one want to use an inferior, unreliable database subject to random corruption?
Instead I added a new user role and tried to add access to the attributes, but somehow it does not work.
Which attribute(s) does it need to read?
olcAccess: {2}to attrs=pwdAccountLockedTime,pwdAllowUserChange,pwdChangedTime,pwdCheckQual ity,pwdExpireWarning,pwdFailureCountInterval,pwdGraceAuthNLimit,pwdGraceU seTime,pwdHistory,pwdInHistory,pwdLockoutDuration,pwdMaxFailure,pwdMaxRec ordedFailure,pwdMinAge,pwdMinLength,pwdMustChange,pwdPolicySubentry,pwdRe \
set,pwdSafeModify,shadowExpire,shadowInactive,shadowLastChange,shadowMax, shadowMin,shadowWarning by dn.exact="uid=PP-Checker,ou=system,dc=…" read break
So you give your user read access to those attributes, except..
olcAccess: {5}to attrs=pwdHistory,pwdGraceUseTime,pwdChangedTime by self read by * none
You remove its ability to read these 3 attributes here (due to your use of "read break" in {2}.
I assume it needs read access to pwdChangedTime.
Maybe you meant in {2}:
attrs... by (your user) read by * read break? Or something along those lines, mabye you meant by (your user) read by * break. Hard to tell.
--Quanah