Hi all,

SYSTEM: NethServer-7.6.1810, a distro using Centos7.6.1810
OpenLDAP: openldap-2.4.44-21.el7_6.x86_64
Extra package: Self Service Password

I am using Self Service Password with question/answer method to change the password.
I store the answer in an attibute named: info.

$answer_objectClass = "extensibleObject";
$answer_attribute = "info";

The original Account provider is LDAP which I want to replace with Active Directory.

All the user have to choose a question/answer before I replace LDAP with AD as the Account provider.

While LDAP is still the Account provider, anybody with console access to the server can see the question/answer using the command:

# ldapsearch  -D cn=libuser,dc=directory,dc=nh -w `cat /var/lib/nethserver/secrets/libuser` -h 127.0.0.1

# toto, People, directory.nh
dn: uid=toto,ou=People,dc=directory,dc=nh
...
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: extensibleObject
shadowLastChange: 18220
userPassword:: cm9ibTEyMDQ0OQ==
info: {car}Honda

I created a Virtual Machine to test the scenario with 3 users.

In NethServer, the original Account provider is LDAP.
I did a script to extract the users and their answers to file.ldif
I remove LDAP.
I install Active Directory module.
I import the users/groups to AD. In the importation, AD creates new passwords for the imported users.
I add a section to Self Service Password for AD.
I modify AD with info.ldip to include the answer.

# /usr/bin/systemd-run -M nsdc -q -t /usr/bin/ldbmodify -H /var/lib/samba/private/sam.ldb /var/lib/samba/private/file.ldif
Modified 3 records successfully
#

The users can then modify their password responding to the same question/answer they had with LDAP.
All is working perfectly.

PROBLEM:
I cannot encrypt the answer in LDAP because when I import the users to Active Directory, it cannot reads the encrypted answer. I think that AD is using another way to encrypt/decypt?
If I don't encrypt the answer, the importation to AD is working correctly.

While still using LDAP as Account provider and before I change it to Active Directory, I would like to add an additional ACL so nobody can read the answer stored in "info".

After googling a lot I found a way to describe the ACL. I hope it is the right way.

access to attrs=info
    by self write
    by anonymous auth
    by group="cn=domain admins,ou=Groups,dc=directory,dc=nh" write
    by * none

How can I create the content of
newacl.ldif file to be able to add that ACL to OpenLDAP (ldapmodify  -Y EXTERNAL -H ldapi:/// -f /temp/newacl.ldif)

Thank you,

Drukpa