[Date Prev][Date Next]
Re: (ITS#7021) pwdAllowUserChange: FALSE disallows password change by anybody
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#7021) pwdAllowUserChange: FALSE disallows password change by anybody
- From: firstname.lastname@example.org
- Date: Thu, 18 Aug 2011 08:28:23 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
>>> Then the patch is trivial:
>>> If there's consensus, I'll commit it.
>> Seems like a pointless change. You must set ACLs for this type of
>> to be allowed. Since you must set ACLs anyway, there is no good reason to
>> the pwdAllowUserChange policy setting in the first place. In general the
>> pwdAllowUserChange option is only useful on systems that do not already
>> provide fine grained access controls.
> Agree (see my previous message). For this purpose, I suggest to add, in
> slapo-ppolicy(5), a comment about discouraging the use of
> pwdAllowUserChange since OpenLDAP provides fine-grain ACLs.
I already knew that this can be achieved by ACLs but...
1. OpenLDAP should behave as stated in the ppolicy spec and the man-pages.
2. sometimes it'd be more handy to use this flag in an already existing
pwdPolicy entry than defining additional ACLs.
Since this patch seems so trivial why not commit it?