[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Admin roles by group membership per OU
Hi Michael,
On Thu, Oct 12, 2017 at 10:34:09PM +0200, Michael Ströder wrote:
> Ervin Hegedüs wrote:
> > olcAccess: {0}to attrs=userPassword,shadowLastChange by self write
>
> Additional side notes regarding this ACL above (which is often used in
> tutorials):
>
> 1. You should use slapo-ppolicy instead of deprecated 'shadowLastChange'
> attribute to enforce password expiry.
thanks - I'm relative "new" (recurrent after many years) in
OpenLDAP. Most concept is very new for me, especially this one
above (slapo-ppolicy).
I have to read the related documentation.
> 2. With this ACL the user can extend the password validity period
> himself which renders password expiry ineffective.
good catch, I'll review the rules again tomorrow.
Thanks again!
a.