[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Admin roles by group membership per OU

To: Michael Ströder <michael@stroeder.com>
Subject: Re: Admin roles by group membership per OU
From: Ervin Hegedüs <airween@gmail.com>
Date: Thu, 12 Oct 2017 22:41:38 +0200
Cc: openldap-technical@openldap.org
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:content-transfer-encoding:in-reply-to :user-agent; bh=dtgZyctjup6lrYCRHNeilgIxT+TUqt1Z66/2peyTONY=; b=JJ1iJY8PFQpBtfeXzyPtIAFljsmgUxvwTubBGFFET90hQP3NSV1oI+1CQDbSDWGHN7 pSCWKuSu54fZbSs5R/EuGf3FfDjL/vpuQHSq8bUOZ4gXWgGxyKzH2XPYTcywVDSWebkp bKIDB+MkCKGLYk/1mFIblkRVeK90OLY+YNwivsCO2gLfp80ZaVm9cXPQ5v3jqi6LLtlC YFGFPWTN98EUhSQKNYWw/foSpQdm38deN3LjOoAi9o+29phXggQiVubDoYGEteKeObe+ y3YUEuqEYWEvvJvvPgnG5jqRvmPiz7iy3BLhLPjKylKnLWZVGPCQlnsFzYdKm2Z1tqHw X5eA==
In-reply-to: <f983088f-e37f-17c4-37e2-4eb6b8b4e22f@stroeder.com>
References: <20171011153114.GA6037@arxnet.hu> <5411f0bd-bf3d-1a88-650b-8f8e845815df@savoirfairelinux.com> <20171012143945.GA24897@arxnet.hu> <f983088f-e37f-17c4-37e2-4eb6b8b4e22f@stroeder.com>
User-agent: Mutt/1.5.24 (2015-08-30)

Hi Michael,

On Thu, Oct 12, 2017 at 10:34:09PM +0200, Michael Ströder wrote:
> Ervin Hegedüs wrote:
> > olcAccess: {0}to attrs=userPassword,shadowLastChange by self write
> 
> Additional side notes regarding this ACL above (which is often used in
> tutorials):
> 
> 1. You should use slapo-ppolicy instead of deprecated 'shadowLastChange'
> attribute to enforce password expiry.

thanks - I'm relative "new" (recurrent after many years) in
OpenLDAP. Most concept is very new for me, especially this one
above (slapo-ppolicy).

I have to read the related documentation.

> 2. With this ACL the user can extend the password validity period
> himself which renders password expiry ineffective.

good catch, I'll review the rules again tomorrow.

Thanks again!

a.

References:
- Admin roles by group membership per OU
  - From: Ervin Hegedüs <airween@gmail.com>
- Re: Admin roles by group membership per OU
  - From: Clément OUDOT <clement.oudot@savoirfairelinux.com>
- Re: Admin roles by group membership per OU
  - From: Ervin Hegedüs <airween@gmail.com>
- Re: Admin roles by group membership per OU
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: Admin roles by group membership per OU
Next by Date: [ldapmodify] multiple entries of the same attibute
Index(es):
- Chronological
- Thread