[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs - allowing a user to add a new attribute

Could you please clarify this comment for me, I don't understand. the only ACLs I have referring to userPassword is

access to attrs=userPassword
by group/groupOfNames/member="cn=ldappers,ou=Apps,ou=Groups,ou=Accounts,dc=domain,dc=com" write
     by dn.children="ou=Admins,dc=domain,dc=com" write
     by self write
     by * auth

trying to achieve write access for the ldappers group, children of the Admins ou and self. by self write should give a user the ability to change their password, correct ? Is there a better ACL for what I'm trying to achieve ?

One comment I would make about your ACLs is that in several places you
are granting read access to userPassword. This is not usually
necessary nor is it a good idea. You need 'by * auth' access to permit
authentication, but only need to give '=w' access to those who need to
change passwords. Remember that the 'write' keyword includes read access.

Matt Ingram
Intermediate Unix Administrator, IS
Canadian Bank Note Company, Limited