[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Password protection from admins




On Thu, 21 Aug 2003, Guido Casper wrote:

> Tony Earnshaw wrote:
> > Alberto Alonso wrote:
> >
> >> I would like admins to be able to change a user's password but not
> >> be able to read it.
> >>
> >> I have read the FAQ at
> >> http://www.openldap.org/faq/data/cache/453.html on access lists and
> >> tried messing with taken away read access or setting the ACL via
> >> =wxsc
> >>
> >> However, when using ldappasswd I can't change the userpassword
> >> unless I have read access to it.
> >>
> >> Am I missing something?
> >
> > Write access automatically gives read access. If you don't have read
> > access, how can you have write access? With most systems you'd have to
> > know and enter the old password to be able to change it, anyway. Also,
>
> Yes, but an Administrator often can change other's password without knowing
> the old one.
>
> > if you think logically, even if he couldn't read the old password,
> > your admin would immediately know the new one as soon as he'd entered
> > it. What's the difference if he can read it or not?
>
> The difference is that the Administrator should not know the USER-CHOSEN
> password at any time.
>
> Guido
>
So store it in something like crypt.