Troubles with idp.authn.LDAP.returnAttributes property

Peter Schober peter.schober at
Fri Oct 4 09:53:48 EDT 2019

* Guillaume Rousse <guillaume.rousse at> [2019-10-04 15:38]:
> I don't think we have an LDAP ACL issue here, as an user is entitled
> to read and write its own password.

We'll need to agree to disagree, then.

My own OpenLDAP slapds always only had ACLs such as:

access to attr=userPassword
  by self =w
  by anonymous auth

I see no reason to allow read access to the password even to the
object "owner". What would be gained by that other than exposing the
password (in whatever stored form, plaintext, hashed) to an attacker
using the subjects machine/session?

Writing can still be allowed to the subject, though I find that's
often no longer a sensible choice today, when writes only come from an
internal web application of some sorts (which you'd need for a myriad
of reasons, such as: provisioning the password to services that you
cannot provision from LDAP a.k.a. provisioning different password
hashes for different systems, asking the subject for additional
information as part of the change, second-factor/MFA requirements,


More information about the users mailing list