Let LDAP users can change passwords themself

Start container instance

version: '2'

services:
  openldap:
    image: bitnami/openldap:2
    ports:
      - '1389:1389'
      - '1636:1636'
    environment:
      - LDAP_ADMIN_USERNAME=admin
      - LDAP_ADMIN_PASSWORD=adminpassword
      - LDAP_USERS=user01
      - LDAP_PASSWORDS=password1
      - BITNAMI_DEBUG=debug

Check current ACL by

ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config 'olcDatabase=*'

# cat acl.ldif

dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to attrs=userPassword by self write by anonymous auth by dn.base="ou=users,dc=example,dc=org" write by * none

add: olcAccess
olcAccess: to * by self write by dn.base="ou=users,dc=example,dc=org" write by * read

Let's break down this LDIF script:

1. dn: olcDatabase={1}mdb,cn=config: This specifies the distinguished name (DN) of the entry to be modified. In this case, it's referring to the second database in the LDAP configuration ({1} refers to the index number of the database, and mdb indicates that the database is an MDB type).

2. changetype: modify: This indicates that we're modifying the entry specified by the dn above.

3. add: olcAccess: This is the first operation to be performed: adding a new olcAccess value.

4. olcAccess: to attrs=userPassword by self write by anonymous auth by dn.base="ou=users,dc=example,dc=org" write by * none: This sets the access control rules for the userPassword attribute:

   • by self write: The entry's owner can modify their own password.

   • by anonymous auth: Anonymous users can authenticate using this attribute (that is, they can supply the password for authentication, but nothing else).

   • by dn.base="ou=users,dc=example,dc=org" write: Entries in the "ou=users,dc=example,dc=org" subtree can modify this attribute.

   • by * none: Any other users have no access to this attribute.

5. add: olcAccess: This is the second operation to be performed: adding another olcAccess value.

6. olcAccess: to * by self write by dn.base="ou=users,dc=example,dc=org" write by * read: This sets the access control rules for all other attributes (indicated by the asterisk):

   • by self write: The entry's owner can modify their own attributes.

   • by dn.base="ou=users,dc=example,dc=org" write: Entries in the "ou=users,dc=example,dc=org" subtree can modify these attributes.

   • by * read: Any other users can read these attributes, but not modify them.

These rules together create a reasonable access control system where users can modify their own attributes (including their password), entries in a certain subtree can modify user passwords, and other users can read (but not modify) attributes.

Apply this ACL

ldapmodify -Y EXTERNAL -H ldapi:/// -f acl.ldif


# SASL/EXTERNAL authentication started
# SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
# SASL SSF: 0
# modifying entry "olcDatabase={1}mdb,cn=config"

Double check ACL