[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7021) pwdAllowUserChange: FALSE disallows password change by anybody



masarati@aero.polimi.it wrote:
>>> Then the patch is trivial:
>>> [..]
>>> If there's consensus, I'll commit it.
>>
>> Seems like a pointless change. You must set ACLs for this type of
>> modification
>> to be allowed. Since you must set ACLs anyway, there is no good reason to
>> use
>> the pwdAllowUserChange policy setting in the first place. In general the
>> pwdAllowUserChange option is only useful on systems that do not already
>> provide fine grained access controls.
> 
> Agree (see my previous message).  For this purpose, I suggest to add, in
> slapo-ppolicy(5), a comment about discouraging the use of
> pwdAllowUserChange since OpenLDAP provides fine-grain ACLs.

I already knew that this can be achieved by ACLs but...

1. OpenLDAP should behave as stated in the ppolicy spec and the man-pages.

2. sometimes it'd be more handy to use this flag in an already existing
pwdPolicy entry than defining additional ACLs.

Since this patch seems so trivial why not commit it?

Ciao, Michael.