Hi. I have OpenLDAP 2.4.36 server grabbed from LTB project. I've noticed two issues, can anyone confirm the same behavior? First - ACLs: to dn.base="" by users read to dn.subtree="ou=disabledaccounts,o=examples" by dn.base="cn=replicationmanager,o=example" read by * none to attrs=userPassword,shadowLastChange by dn.base="cn=replicationmanager,o=example" read by dn.base="cn=radiussuperuser,o=example" read by anonymous auth by self write by * none [skipping few next less important rules] Above ACL should NOT show user's own password, right? But it shows in my environment.. Second: PwdMinLength in password policy does not work. I can easily set shorter password. Password policy in general works, for example it does not allow me to change password earlier than 'pwdMinAge'. Best regards, -- Olo

REMOVE ME At 2013-11-26 03:47:27,"Michael Proto" <michael.proto(a)tstllc.net&gt; wrote: For userPassword "by self write" implies the ability to read as well, try "by self =xw" if you want to be able to write to userPassword without being able to view it. On Mon, Nov 25, 2013 at 2:15 PM, Aleksander Dzierżanowski <olo(a)e-lista.pl&gt;wrote: > Hi. > > I have OpenLDAP 2.4.36 server grabbed from LTB project. I've noticed two > issues, can anyone confirm the same behavior? > > First - ACLs: > to dn.base="" > by users read > to dn.subtree="ou=disabledaccounts,o=examples" > by dn.base="cn=replicationmanager,o=example" read > by * none > to attrs=userPassword,shadowLastChange > by dn.base="cn=replicationmanager,o=example" read > by dn.base="cn=radiussuperuser,o=example" read > by anonymous auth > by self write > by * none > [skipping few next less important rules] > > Above ACL should NOT show user's own password, right? But it shows in my > environment.. > > Second: > PwdMinLength in password policy does not work. I can easily set shorter > password. Password policy in general works, for example it does not allow > me to change password earlier than 'pwdMinAge'. > > Best regards, > -- > Olo > >

For the first question, Michael already answer you For the second, could you give us more information, for example, how do you modify the password. I don't think so, but to remove any doubt, do you modify the password with a ldapmodify request on the userpassword? or with the extended operation to modify password which will follow the ppolicy constraints (which ldapmodify don't take into account) On Tue, Nov 26, 2013 at 9:02 AM, mahao_boy <mahao_boy(a)163.com&gt; wrote: REMOVE ME At 2013-11-26 03:47:27,"Michael Proto" <michael.proto(a)tstllc.net&gt; wrote: For userPassword "by self write" implies the ability to read as well, try "by self =xw" if you want to be able to write to userPassword without being able to view it. On Mon, Nov 25, 2013 at 2:15 PM, Aleksander Dzierżanowski <olo(a)e-lista.pl&gt; wrote: Hi. I have OpenLDAP 2.4.36 server grabbed from LTB project. I’ve noticed two issues, can anyone confirm the same behavior? First - ACLs: to dn.base="" by users read to dn.subtree="ou=disabledaccounts,o=examples" by dn.base="cn=replicationmanager,o=example" read by * none to attrs=userPassword,shadowLastChange by dn.base="cn=replicationmanager,o=example" read by dn.base=„cn=radiussuperuser,o=example" read by anonymous auth by self write by * none [skipping few next less important rules] Above ACL should NOT show user’s own password, right? But it shows in my environment.. Second: PwdMinLength in password policy does not work. I can easily set shorter password. Password policy in general works, for example it does not allow me to change password earlier than ‚pwdMinAge’. Best regards, — Olo