[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ppolicy and ACL question



Hi,
1. If you can do that I think this is a bug in ldappasswd, pwdReset used to force user to change its password *only one time*.

2. No

3. "manage" access gives "administrative privilege", while "write" does not allow it. "administrative privilege" allow modifying some attributes usually can (and should) not be modified. where the "administrative" term (e.g. entryUUID). You may find more details about that in https://tools.ietf.org/html/draft-zeilenga-ldap-relax-03

Cheers.

Le 13/05/2015 04:06, Harmandeep Kaur a écrit :
Hello folks,

I have a quick query, I'm using openldap with ppolicy. I'm using
following ACL just to test things right, I came across the issue, for
which I'm unable to find appropriate answers:

ACL used:

---
access to * by * manage
---

1. How to restrict ldappasswd command to clear the pwdReset flag to
user's entry ?
2. Can some other users (member of group) can work rootdn (bypass
ppolicy like rootdn but it should apply to their account itself) ?
3. Other question is about ACL is "What's the difference between ACL
"write" and "manage" access"

write             =wrscdx          needed to modify/rename
manage        =mwrscdx        needed to manage

I'm not able to determine what access "manage" gives over and above
"write" access.
I didn't find much info at openldap.org <http://openldap.org>
access-control section.


Thank you.

Regards,

--
*Abdelhamid Meddeb*
http://www.meddeb.net

Attachment: smime.p7s
Description: Signature cryptographique S/MIME