just saying
for the user-who-can-change-passwords-so-as-to-disable-them…
the file
[email protected]:/etc/ldap/slapd.d/cn=config# pwd
/etc/ldap/slapd.d/cn=config
[email protected]:/etc/ldap/slapd.d/cn=config# cat olcDatabase\={1}hdb.ldif
the bits that matter i think
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn=”cn=admin,dc=some
,dc=where,dc=out,dc=there,dc=wooo” write by self write by anonymous auth by no
ne
olcAccess: {1}to dn.base=”” by read
olcAccess: {2}to by dn=”cn=admin,dc=some,dc=where,dc=out,dc=there,dc=wooo” wr
ite by read
olcAccess: {3}to attrs=userPassword,shadowLastChange by self read
but i’m not sure about the syntax. i think this might let “tester” do it?
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn=”cn=admin,dc=some
,dc=where,dc=out,dc=there,dc=wooo” write by dn=”cn=tester,ou=people,dc=some
,dc=where,dc=out,dc=there,dc=wooo” write by self write by anonymous auth by * no
ne