Hi!
Next step: After finding the the attribute name olcPPolicyDefault I tried to set up an ACL, but my first attempt ended in
ldap_modify: Other (e.g., implementation specific) error (80) additional info: <olcAccess> handler exited with 1
So I'm unsure: is it possible to define an ACL that grants access to one database (i.e. "config") for an object on another database (e.g. some user)?
What I tried to add was olcAccess: {1}to filter=&(objectClass=olcPPolicyConfig)(olcPPolicyDefault=*) attrs=olcPPolicyDefault by dn.exact="uid=PP-Checker,ou=system,dc=context" read by * break
(it's the first time I tried an LDAP filter in an ACL, because I did not find a better ways to restrict the ACL to the intended entries)
So any advice is welcome!
Kind regards, Ulrich
From: Windl, Ulrich u.windl@ukr.de Sent: Monday, July 1, 2024 10:46 AM To: openldap-technical openldap-technical@openldap.org Subject: [EXT] Querying the default password policy
Hi!
I just discovered a problem (reading "man slapo-ppolicy" in old 2.4 OpenLDAP): It seems one can configure a "default policy", but it cannot be queried. At least https://serverfault.com/a/644658/407952 suggests that, and after reading "man slapo-ppolicy" I did not find something different. Why isn't there some "olc" attribute for it?
So far we did not set the default policy, but assigned one to each user. However I wanted to write a utility that would evaluate the changes if a default password policy were added. For obvious reasons I don't want to hard-code the policy name into the utility, and the utility may run on any server, not just LDAP-Servers to query them.
However digging in the configs, I found in dn: olcOverlay={2}ppolicy,olcDatabase={1}hdb,cn=config the attribute "olcPPolicyDefault", wondering why it isn't documented. So far, so good, but how would an ACL allowing to read that attribute look like? It seems I cannot specify that specific attribute within the olcPPolicyConfig object class within the corresponding cn=config subtree: I can allow access to the attribute name globally, or to all attributes of the object class, and "attrstyle" can only be used for a specific value.
So how should I allow access to that attribute for my special user running the utility?
Kind regards, Ulrich