fix: fix #104 - LDAP userPassword attribute can be read without auth

config/ldap/init-ldap-acls.sh

@@ -0,0 +1,26 @@
+#!/usr/bin/env bash
+set -eu
+
+# load OpenLDAP environment and functions
+. /opt/bitnami/scripts/libopenldap.sh
+
+trap ldap_stop EXIT
+
+# start LDAP in background
+ldap_start_bg
+
+# wait until LDAP is started
+while ! ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=admin,dc=opencloud,dc=eu" >/dev/null 2>&1; do
+    echo "Waiting for LDAP to start..."
+    sleep 1
+done
+
+# apply acls
+echo -n "Applying acls... "
+ldapmodify -Y EXTERNAL -H ldapi:/// -f /opt/bitnami/openldap/etc/schema/50_acls.ldif
+if [ $? -eq 0 ]; then
+    echo "done."
+else
+    echo "failed."
+fi
+

config/ldap/ldif/50_acls.ldif

@@ -0,0 +1,12 @@
+# OpenCloud ldap acl file which gets applied during the first db initialisation
+dn: olcDatabase={2}mdb,cn=config
+changetype: modify
+replace: olcAccess
+olcAccess: {0}to dn.subtree="dc=opencloud,dc=eu" attrs=entry,uid,objectClass,entryUUID
+  by * read
+olcAccess: {1}to attrs=userPassword
+  by self write
+  by * auth
+olcAccess: {2}to *
+  by dn.base="uid=admin,ou=users,dc=opencloud,dc=eu" write
+  by * none