#51 Change Password creates duplicate userPassword attribute

[Craig]

A common ACL setup involves denying read access to the userPassword attribute, but allowing writes. This makes the field 'write-only' so that, for example, helpdesk tecnicians cannot read password hashes but are able to reset a password.

If the 'Set Password' dialog is used while this type of ACL setup is in place, LDAP Admin uses an LDAP 'add' operation rather than 'replace'. As userPassword is a multivalued attribute as defined by rfc4519, this causes a duplicate 'userPassword' attribute to be added, leaving the old one in place.

This apparently is because LDAP Admin is not seeing the existing userPassword. If the ACLs are changed so that the user has read access to userPassword, the application uses a 'replace' operation which removes the old password.