I read the warning in SLAPO_PPOLICY(5) regarding
ppolicy_hash_cleartext: "It is recommended that when this option
is used that compare, search, and read access be denied to all
Am I correct to presume that this means that the compare, search,
read access be denied for directory users' _own_ (self)
userPassword attrs, right?
Because compare, search, read access to _other_ users'
userPassword is rightfully denied typically by any sensible access
control ruleset. (Right?)
And if this document does mean to say that compare, search, and read access should be denied for directory users' _own_ (self) userPassword attrs, can someone please explain why, if users can read their userPassword, it would be worse for it to be encrypted than plain text?