[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Password protection from admins



Tony Earnshaw wrote:
> Alberto Alonso wrote:
>
>> I would like admins to be able to change a user's password but not
>> be able to read it.
>>
>> I have read the FAQ at
>> http://www.openldap.org/faq/data/cache/453.html on access lists and
>> tried messing with taken away read access or setting the ACL via
>> =wxsc
>>
>> However, when using ldappasswd I can't change the userpassword
>> unless I have read access to it.
>>
>> Am I missing something?
>
> Write access automatically gives read access. If you don't have read
> access, how can you have write access? With most systems you'd have to
> know and enter the old password to be able to change it, anyway. Also,

Yes, but an Administrator often can change other's password without knowing
the old one.

> if you think logically, even if he couldn't read the old password,
> your admin would immediately know the new one as soon as he'd entered
> it. What's the difference if he can read it or not?

The difference is that the Administrator should not know the USER-CHOSEN
password at any time.

Guido