[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: user they can modify passwords

To: Sven Buchstaller <ask@quickline.de>
Subject: Re: user they can modify passwords
From: Aaron Richton <richton@nbcs.rutgers.edu>
Date: Thu, 12 Jun 2008 10:10:40 -0400 (EDT)
Cc: openldap-software@openldap.org
In-reply-to: <200806121230.24226.ask@quickline.de>
References: <200806121230.24226.ask@quickline.de>

On Thu, 12 Jun 2008, Sven Buchstaller wrote:

i need an user "it" they can modify on my ldap the passwords for all users.
atm my settings in the acl.conf are:
[cut]
can i do like this:
access to dn.subtree="ou=users,dc=server1,dc=intern"
by self write
by dn="uid=intern,ou=users,dc=server1,dc=intern"
by * read
by dn="uid=it,ou=users,dc=server1,dc=intern"
by * write

1. best practice is to write "dn.exact" if that's your intention. 2. you have no <access> fields for uid=intern nor uid=it. 3. two "by *" rules are irrelevant, only one can fire (in the absence of any <control> fields) 4. most most most importantly, order matters. so those last two lines are never reached, "by * read" matches all first.

Please read slapd.access(5) man page entirely and carefully.

References:
- user they can modify passwords
  - From: Sven Buchstaller <ask@quickline.de>

Prev by Date: ppolicy by group
Next by Date: Re: ppolicy by group
Index(es):
- Chronological
- Thread