[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7021) pwdAllowUserChange: FALSE disallows password change by anybody

> Full_Name:
> Version: 2.4.26
> OS:
> URL:
> Submission from: (NULL) (
> slapo-ppolicy(5) says:
>        pwdAllowUserChange
>        This attribute specifies whether users are allowed to  change
>        their  own passwords or not.  If pwdAllowUserChange is set to
>        "TRUE", or if the attribute is not  present,  users  will  be
>        allowed  to  change  their  own  passwords.   If its value is
>        "FALSE", users will not be allowed to change their own  pass-
>        words.
> Given this text I'd expect that admins can still set the userPassword
> attribute.
> Such a policy is often used for system/machine accounts where the machine
> entity
> itself does not have to change the password but an admin should be allowed
> to do
> so.

By reading the code, I note that pwdAllowUserChange is not checked when
the operation is performed by the rootdn, which in many senses can be seen
as an administrator.  If by administrator you mean a generic user that is
logically granted administrative privileges (e.g. limited to this purpose)
I concur it is not possible currently.

By reading the man page (and the draft), this attribute seems to be
essentially intended as a replacement (a workaround for the absence) of
access control.  So you could avoid setting it, and use ACLs instead.

OTOH, by strictly interpreting the way its use is discussed in the draft,
it should only apply to attempts by "self" to modify the password, so a
modification performed by a different identity (provided ACLs permit it)
should not be affected.