2
On 8/27/23 19:01, Marc wrote:
olcAccess: {2} to attrs=userPassword,shadowLastChange by ssf=256 self read by ssf=256 anonymous auth by * none break
I think the problem is this rule. You specify 'by * none break', which means that evaluation is not stopped if this rule does not match. Because of that, the later rules for user 'yyyy' do match and 'yyyy' can read the 'userPassword' attribute.
You would have to specify a separate rule for 'userPassword' without 'break', something like this:
olcAccess: {1} to attrs=userPassword by self read by anonymous auth
Well done Souji! Thanks that seems to be working better, and I can remove these redundant read - search combinations!