> 2
>
> On 8/27/23 19:01, Marc wrote:
> >>> olcAccess: {2} to attrs=userPassword,shadowLastChange
> >>> by ssf=256 self read
> >>> by ssf=256 anonymous auth
> >>> by * none break
>
> I think the problem is this rule. You specify 'by * none break', which
> means that evaluation is not stopped if this rule does not match.
> Because of that, the later rules for user 'yyyy' do match and 'yyyy' can
> read the 'userPassword' attribute.
>
> You would have to specify a separate rule for 'userPassword' without
> 'break', something like this:
>
> olcAccess: {1} to attrs=userPassword
> by self read
> by anonymous auth
>
Well done Souji! Thanks that seems to be working better, and I can remove these
redundant read - search combinations!
