官网文档:
https://www.freebsd.org/doc/en_US.ISO8859-1/articles/ldap-auth/secure.html
4.1. Setting Attributes Read-only
Several attributes in LDAP should be read-only. If left writable by the user, for example, a user could change his uidNumber attribute to 0 and get root access!
To begin with, the userPassword attribute should not be world-readable. By default, anyone who can connect to the LDAP server can read this attribute. To disable this, put the following in slapd.conf:
Example 8. Hide Passwords
access to dn.subtree="ou=people,dc=example,dc=org"
attrs=userPassword
by self write
by anonymous auth
by * none
access to
by self write
by read