--On Friday, June 21, 2019 5:33 PM +0200 Michael Ströder michael@stroeder.com wrote:
On 6/21/19 3:52 PM, Quanah Gibson-Mount wrote:
Generally, if you want to restrict access to pwdHistory, you would do something like:
access to attrs=pwdHistory by self write by *none
Making pwdHistory writeable by user him/herself is almost a security issue. User would additionally need manage privilege to really remove the attribute but still the above ACL is not good practice.
Sure, it's a theoretical example. As I also noted already in my reply:
"The "self write" is likely unnecessary since it's an overlay that manages (slapo-ppolicy). I would note that if some other ACL takes precedence over this ACL (since you've failed to list all of them), it won't get applied."
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com