ppolicy and ACL question

To: openldap-technical@openldap.org

Subject: ppolicy and ACL question

From: Harmandeep Kaur <hammudeepk@gmail.com>

Date: Wed, 13 May 2015 07:36:40 +0530

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=jtStemdsa3VU0HC4fSqMSi2JW+h4sls5AEMiECm23gw=; b=FupKjWlJtbVnG0+LzPBehxeR35Lqmw89M7Jd4q2AT80Txo/hpglURJMi7CRZ8G5rS4 fnZbzLO7opzFQ0bMeCs+F6uhpA8xV02Cfff4cTk2to50deLXBgvL0OoXp/smNnKPEAlh CVoo5AXZcQI9aF1bttQKigab4GYfRBNjKz+O3lej+TTlxCK1Vt501nhWq9VjOslnhUk1 Hop4qbbaFtHRCORRMhFfannFkJleBpBhA53tpdy4BqFZcDF7qkMmIfbndClxanJkrV9H hE5NJ8JaS64Efd3iH+LEvRnYYWjoPAxgX6HhanzzZc0DI2lD8QRoycjh4Xq5GL17YeH7 RYTg==

Hello folks,

I have a quick query, I'm using openldap with ppolicy. I'm using following ACL just to test things right, I came across the issue, for which I'm unable to find appropriate answers:

ACL used:

---
access to * by * manage
---

1. How to restrict ldappasswd command to clear the pwdReset flag to user's entry ?
2. Can some other users (member of group) can work rootdn (bypass ppolicy like rootdn but it should apply to their account itself) ?
3. Other question is about ACL is "What's the difference between ACL "write" and "manage" access"

write =wrscdx needed to modify/rename
manage =mwrscdx needed to manage

I'm not able to determine what access "manage" gives over and above "write" access.
I didn't find much info at openldap.org access-control section.

Thank you.

Regards,

Follow-Ups:

Re: ppolicy and ACL question
- From: Abdelhamid Meddeb <abdelhamid@meddeb.net>