[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Password protection from admins



Guido Casper wrote:
Tony Earnshaw wrote:
  
Alberto Alonso wrote:

    
I would like admins to be able to change a user's password but not
be able to read it.

I have read the FAQ at
http://www.openldap.org/faq/data/cache/453.html on access lists and
tried messing with taken away read access or setting the ACL via
=wxsc

However, when using ldappasswd I can't change the userpassword
unless I have read access to it.

Am I missing something?
      
Write access automatically gives read access. If you don't have read
access, how can you have write access? With most systems you'd have to
know and enter the old password to be able to change it, anyway. Also,
    

Yes, but an Administrator often can change other's password without knowing
the old one.

  
if you think logically, even if he couldn't read the old password,
your admin would immediately know the new one as soon as he'd entered
it. What's the difference if he can read it or not?
    

The difference is that the Administrator should not know the USER-CHOSEN
password at any time.

Guido

  
If the administrator must not know user passwords, they'll have to send him the encryped string generated by slappasswd...
Or you'll have to write a user interface that let them change their own password...