John Lewis wrote:
How is this?
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break olcAccess: {1}to dn.base="" by * read olcAccess: {2}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none olcAccess: {3}to * by * read
Slightly better. But the user (self) can still circumvent shadowUser's legacy password expiry by setting attribute 'shadowLastChange'. Well, that's an obsolete feature anyway and shadowAccount should not be used nowadays.
In general when crafting ACLs you should have a test plan or even better automated testing which should also cover the cases which should *not* be possible. Starting with writing down access control requirements before is highly recommended too.
Ciao, Michael.