The "add" access right is not dealt with properly for the userPassword attribute. If you add the following ACI, anyone should be able to add a new entry: (targetattr ="*")(version 3.0; acl "foo"; allow (add) (userdn = "ldap:///anyone");) You will find that you get an error 50 when you attempt to add an entry containing a userPassword attribute with the above ACI. This is due to a permissions check that occurs during an add operation to see if access to userPassword is allowed before doing any password syntax checking. The problem is that it checks for the SLAPI_ACL_WRITE privilege instead of the SLAPI_ACL_ADD privilege. The SLAPI_ACL_WRITE privilege checks if the user is allowed to perform a modify operation, not an add. The attached diff fixes this issue.
Created attachment 140582 [details] CVS Diffs
Checked into ldapserver (HEAD). Thanks for the review Rich! Checking in add.c; /cvs/dirsec/ldapserver/ldap/servers/slapd/add.c,v <-- add.c new revision: 1.9; previous revision: 1.8 done