[Date Prev][Date Next]
ppolicy and Access Control to operational Attributes
- To: openldap-devel@OpenLDAP.org
- Subject: ppolicy and Access Control to operational Attributes
- From: Ralf Haferkamp <email@example.com>
- Date: Wed, 6 Apr 2005 11:54:04 +0200
- Content-disposition: inline
- User-agent: KMail/1.8
I had a look at the ppolicy-overlay (version from HEAD) and I am
wondering now how access controls have to be setup in order to make it
In order to allow a user to change his own password it seems that I need
to give him "write" access to some of the operational Attributes that
hold the Password Policy State (e.g. pwdChangedTime, pwdHistory and
maybe some others). Otherwise I get "Insufficient access (50)" when the
user tries to modify his "userPassword". But if I give him "write"
access the user can just circumvent password policies be directly
modifying e.g. "pwdChangedTime" without changing the password.
Did I overlook something? Shouldn't these operational Attributes be
flagged with "NO-USER-MODIFCATION" in the Schema? That seems at least
to fix the above issue.
SUSE LINUX Products GmbH, Maxfeldstrasse 5, D-90409 Nuernberg
F: +49-911-74053575 - Ralf.Haferkamp@suse.com