[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Admin roles by group membership per OU

To: Ervin Hegedüs <airween@gmail.com>
Subject: Re: Admin roles by group membership per OU
From: Michael Ströder <michael@stroeder.com>
Date: Thu, 12 Oct 2017 22:34:09 +0200
Cc: openldap-technical@openldap.org
In-reply-to: <20171012143945.GA24897@arxnet.hu>
Openpgp: id=43C8730E84A20E560722806C07DC7AE36A8BC938
References: <20171011153114.GA6037@arxnet.hu> <5411f0bd-bf3d-1a88-650b-8f8e845815df@savoirfairelinux.com> <20171012143945.GA24897@arxnet.hu>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 SeaMonkey/2.49.1

Ervin Hegedüs wrote:
> olcAccess: {0}to attrs=userPassword,shadowLastChange by self write

Additional side notes regarding this ACL above (which is often used in
tutorials):

1. You should use slapo-ppolicy instead of deprecated 'shadowLastChange'
attribute to enforce password expiry.

2. With this ACL the user can extend the password validity period
himself which renders password expiry ineffective.

Ciao, Michael.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Follow-Ups:
- Re: Admin roles by group membership per OU
  - From: Ervin Hegedüs <airween@gmail.com>

References:
- Admin roles by group membership per OU
  - From: Ervin Hegedüs <airween@gmail.com>
- Re: Admin roles by group membership per OU
  - From: Clément OUDOT <clement.oudot@savoirfairelinux.com>
- Re: Admin roles by group membership per OU
  - From: Ervin Hegedüs <airween@gmail.com>

Prev by Date: Re: Admin roles by group membership per OU
Next by Date: Re: Admin roles by group membership per OU
Index(es):
- Chronological
- Thread