Hi!
I just discovered a problem (reading "man slapo-ppolicy" in old 2.4 OpenLDAP): It seems one can configure a "default policy", but it cannot be queried. At least https://serverfault.com/a/644658/407952 suggests that, and after reading "man slapo-ppolicy" I did not find something different. Why isn't there some "olc" attribute for it?
So far we did not set the default policy, but assigned one to each user. However I wanted to write a utility that would evaluate the changes if a default password policy were added. For obvious reasons I don't want to hard-code the policy name into the utility, and the utility may run on any server, not just LDAP-Servers to query them.
However digging in the configs, I found in dn: olcOverlay={2}ppolicy,olcDatabase={1}hdb,cn=config the attribute "olcPPolicyDefault", wondering why it isn't documented. So far, so good, but how would an ACL allowing to read that attribute look like? It seems I cannot specify that specific attribute within the olcPPolicyConfig object class within the corresponding cn=config subtree: I can allow access to the attribute name globally, or to all attributes of the object class, and "attrstyle" can only be used for a specific value.
So how should I allow access to that attribute for my special user running the utility?
Kind regards, Ulrich