[Date Prev][Date Next]
Re: (ITS#7021) pwdAllowUserChange: FALSE disallows password change by anybody
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#7021) pwdAllowUserChange: FALSE disallows password change by anybody
- From: firstname.lastname@example.org
- Date: Thu, 18 Aug 2011 19:13:36 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
> The patch is the result of my reading in 5 minutes a single portion of a
> spec I read in detail years ago, so my interpretation could not be the
> most correct.
But your interpretation makes sense: E.g. system accounts most times do not
need to change their own password. And for security reasons you might want to
avoid that. Think of a the case where the password of a more exposed system is
known by an attacker (which is likely a very bad case anyway). But at least
the attacker should not be able to disable this service by setting a new password.
Yes, this can be done with ACLs. But you might already have a password policy
assigned to this special system accounts because you don't want the system
accounts' password to expire. So adding an extra ACL is more work especially
if system accounts are spread across a more complicated DIT.