[Date Prev][Date Next] [Chronological] [Thread] [Top]

ppolicy and Access Control to operational Attributes

To: openldap-devel@OpenLDAP.org
Subject: ppolicy and Access Control to operational Attributes
From: Ralf Haferkamp <rhafer@suse.de>
Date: Wed, 6 Apr 2005 11:54:04 +0200
Content-disposition: inline
User-agent: KMail/1.8

Hi,

I had a look at the ppolicy-overlay (version from HEAD) and I am 
wondering now how access controls have to be setup in order to make it 
work.
In order to allow a user to change his own password it seems that I need 
to give him "write" access to some of the operational Attributes that 
hold the Password Policy State (e.g. pwdChangedTime, pwdHistory and 
maybe some others). Otherwise I get "Insufficient access (50)" when the 
user tries to modify his "userPassword". But if I give him "write" 
access the user can just circumvent password policies be directly 
modifying e.g. "pwdChangedTime" without changing the password. 

Did I overlook something? Shouldn't these operational Attributes be 
flagged with "NO-USER-MODIFCATION" in the Schema? That seems at least 
to fix the above issue.

-- 
Ralf Haferkamp
SUSE LINUX Products GmbH, Maxfeldstrasse 5, D-90409 Nuernberg
T: +49-911-74053-0
F: +49-911-74053575 - Ralf.Haferkamp@suse.com

Follow-Ups:
- Re: ppolicy and Access Control to operational Attributes
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: More granular privileges in ACLs (Was: (ITS#3625) [enhancement] per-operation ACLs)
Next by Date: Re: ppolicy and Access Control to operational Attributes
Index(es):
- Chronological
- Thread