Hi!

 

I just discovered a problem (reading “man slapo-ppolicy”  in old 2.4 OpenLDAP):

It seems one can configure a “default policy”, but it cannot be queried.

At least https://serverfault.com/a/644658/407952 suggests that, and after reading “man slapo-ppolicy” I did not find something different.

Why isn’t there some “olc” attribute for it?

 

So far we did not set the default policy, but assigned one to each user.

However I wanted to write a utility that would evaluate the changes if a default password policy were added.

For obvious reasons I don’t want to hard-code the policy name into the utility, and the utility may run on any server, not just LDAP-Servers to query them.

 

However digging in the configs, I found in dn: olcOverlay={2}ppolicy,olcDatabase={1}hdb,cn=config the attribute “olcPPolicyDefault”, wondering why it isn’t documented.

So far, so good, but how would an ACL allowing to read that attribute look like? It seems I cannot specify that specific attribute within the olcPPolicyConfig object class within the corresponding cn=config subtree:

I can allow access to the attribute name globally, or to all attributes of the object class, and “attrstyle” can only be used for a specific value.

 

So how should I allow access to that attribute for my special user running the utility?

 

Kind regards,

Ulrich