Re: Password protection from admins

[Alberto Alonso <alberto@ggsys.net>]

Based on the responses I think I need to expand on this.

Basically what Guido said is why I need it. Let me point out some
things: 

* There are 2 level of Administrators: the main admin and operators.
  Operators help with mundane tasks like changing passwords.

* An admin should never be able to see a user chosen password.

* An admin should bind to the LDAP directory as themselves, therefore
  establishing accountability of the operation.

* In some situations passwords will need to be stored unencrypted,
  this depends on which applications and or systems integrate into
  the directory. Please note, in this case I can understand the
  main admin being able to see the pwd, but never the operators.

This is the reason why I was referring to the FAQ at:

http://www.openldap.org/faq/data/cache/453.html

It states differences between access levels and privileges. You are
right that the write level includes read access, but if I use
privileges then I should be able to give 'w' without giving 'r'
therefore accomplishing what I need.

It may have something to do with how ldappasswd or the directory
is implemented, which is why I'm asking here. To change the password
I shouldn't have to read it first, should I?

Thanks,

Alberto