--On Tuesday, May 21, 2019 3:41 PM -0700 Quanah Gibson-Mount quanah@symas.com wrote:
Here an example :
access to attrs=userPassword
by dn.exact="cn=admin,dc=example,dc=fr" write
by users auth
by anonymous auth
by * none
That should be "by users read", not "by users auth" as per their stated requirements. I would note that this ACL would be problematic in a replicated environment unless the "cn=admin,dc=example,dc=fr" DN is also used for replication.
Additionally, I'm guessing what is really desired is "by self read" rather than "by users read", as the latter would allow any authenticated DN to read the userPassword value of any entry in the DB.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com