Re: [ldapext] password policy: pwdAllowUserChange

[Chris Ridd <chris.ridd@isode.com>]

On 14/5/04 6:36 am, Jim Sermersheim <jimse@novell.com> wrote:

> Yeah, I guess I could see a point in leaving it for the reason you point
> out, but for the same reason, I could see adding another attribute which
> grants rights to some 'pwdAdministrator" to change other people's
> passwords (and maybe even various password policy attributes). In fact,
> to align more closely with some existing implementations, the
> pwdSafeModify would allow this pwdAdministrator to make modifications
> without providing the old password. Section 2.1 currently lets us sleaze
> out of this rathole.
> 
> I hope I'm not getting myself into more trouble.

We asked Ludovic about this attribute a while ago. Essentially it is
intended to be used by the server *after* access control evaluation has
occurred - this enables an administrator to fine tune the user's access to
the attribute without having to mess around with setting entryACI or the
local equivalent.

Apparently the Netscape/Sun implementation automatically sets its local ACLs
when the pwdAllowUserChange attribute is changed, so on that server they're
always the same.

Being able to tweak stuff without messing with access controls seems like a
fine goal which permits password management clients with having to have
knowledge of the local access control implementation.

It does need clarifying in the draft though.

Cheers,

Chris


_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext