Tony Earnshaw wrote:
Alberto Alonso wrote:
I would like admins to be able to change a user's password but not
be able to read it.
I have read the FAQ at
http://www.openldap.org/faq/data/cache/453.html on access lists and
tried messing with taken away read access or setting the ACL via
=wxsc
However, when using ldappasswd I can't change the userpassword
unless I have read access to it.
Am I missing something?
Write access automatically gives read access. If you don't have read
access, how can you have write access? With most systems you'd have to
know and enter the old password to be able to change it, anyway. Also,
Yes, but an Administrator often can change other's password without knowing
the old one.
if you think logically, even if he couldn't read the old password,
your admin would immediately know the new one as soon as he'd entered
it. What's the difference if he can read it or not?
The difference is that the Administrator should not know the USER-CHOSEN
password at any time.
Guido
If the administrator must not know user passwords, they'll have to send
him the encryped string generated by slappasswd...