[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: allow changing userPassword only through extended operations?

To: Emmanuel Dreyfus <manu@netbsd.org>
Subject: Re: allow changing userPassword only through extended operations?
From: Pierangelo Masarati <ando@sys-net.it>
Date: Mon, 27 Aug 2007 17:51:20 +0200
Cc: openldap-software@openldap.org
In-reply-to: <1i3hnei.plq0qlvjypvrM%manu@netbsd.org>
References: <1i3hnei.plq0qlvjypvrM%manu@netbsd.org>
User-agent: Thunderbird 1.5.0.8 (X11/20061025)

Emmanuel Dreyfus wrote:

Is there a way to write an ACL so that userPassword could only be
changed by an extended operation, and not by a simple attribute
modification?

I don't think it's possible (please correct me). A solution I see is to delegate password changes to an applicative agent (like pam_ldap, I think) configured to use passwd exop under an identity that has write permissions on the userPassword attribute of the users.

p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------

Follow-Ups:
- Re: allow changing userPassword only through extended operations?
  - From: Emmanuel Dreyfus <manu@netbsd.org>

References:
- allow changing userPassword only through extended operations?
  - From: manu@netbsd.org (Emmanuel Dreyfus)

Prev by Date: slapadd: dn="dc=test, dc=ekool, dc=ee" (line=6): (64) value of naming attribute 'dc' is not present in entry
Next by Date: Re: allow changing userPassword only through extended operations?
Index(es):
- Chronological
- Thread