LDAP security settings - self update, hide password

[warmerdam]

The following script does *not* have permission to update the cn field for it's own user (even when the cred is set properly). But I think it should.

#!/usr/bin/env python

import ldap
import ldap.filter
import sys
import md5
import base64

server = 'ldap.osgeo.org'
who = 'uid=warmerdam,ou=People,dc=osgeo,dc=org'
cred = 'xx'

l = ldap.open(server)
l.simple_bind_s(who,cred)

l.modify_s( who, [ (ldap.MOD_REPLACE,'cn','NF Warmerdam') ] )

The /etc/openldap/slapd.conf uses the following permissions:

 access to *
        by self write
        by users read
        by anonymous auth

As I read the docs at:

​http://www.openldap.org/doc/admin23/slapdconfig.html#Access%20Control

This should do what we want, but somehow it isn't.

I'd add our current ldap permissions allow any authenticated user to read everything in ldap, including everyone elses encrypted password which is sufficient to authenticate as these other users. We should really add a pre-rule something like:

access to attr=userPassword
            by self write
            by anonymous auth
            by dn.base="cn=Manager,dc=osgeo,dc=org" write
            by * none