[Date Prev][Date Next] [Chronological] [Thread] [Top]

ppolicy and Access Control to operational Attributes


I had a look at the ppolicy-overlay (version from HEAD) and I am 
wondering now how access controls have to be setup in order to make it 
In order to allow a user to change his own password it seems that I need 
to give him "write" access to some of the operational Attributes that 
hold the Password Policy State (e.g. pwdChangedTime, pwdHistory and 
maybe some others). Otherwise I get "Insufficient access (50)" when the 
user tries to modify his "userPassword". But if I give him "write" 
access the user can just circumvent password policies be directly 
modifying e.g. "pwdChangedTime" without changing the password. 

Did I overlook something? Shouldn't these operational Attributes be 
flagged with "NO-USER-MODIFCATION" in the Schema? That seems at least 
to fix the above issue.

Ralf Haferkamp
SUSE LINUX Products GmbH, Maxfeldstrasse 5, D-90409 Nuernberg
T: +49-911-74053-0
F: +49-911-74053575 - Ralf.Haferkamp@suse.com