[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: allow changing userPassword only through extended operations?



Emmanuel Dreyfus wrote:

Is there a way to write an ACL so that userPassword could only be
changed by an extended operation, and not by a simple attribute
modification?

I don't think it's possible (please correct me). A solution I see is to delegate password changes to an applicative agent (like pam_ldap, I think) configured to use passwd exop under an identity that has write permissions on the userPassword attribute of the users.


p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------