Re: ppolicy : managing passwords by another user than root

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Monday, 1 February 2010 13:34:58 smainklh@free.fr wrote:
> no idea ?
> 
> ----- Mail d'origine -----
> De: Smaïne Kahlouch <smainklh@free.fr>
> À: openldap-technical@openldap.org
> Envoyé: Sun, 31 Jan 2010 12:55:33 +0100 (CET)
> Objet: ppolicy : managing passwords by another user than root
> 
> Hi everyone,
> 
> I'm trying to allow a user to change the passwords of users in a
> specific subtree.
> 
> For exemple :
> The user uid=admin-sales,o=Sales,dc=domain,dc=tld is allowed to change
> the passwords of users in the following directory :
> ou=Users,o=Sales,dc=domain,dc=tld.
> 
> I figured it out by playing with the acl's but when enabling password
> policy the user uid=admin-sales can't change passwords anymore. The only
> user alloweded is the admin (root user).
> 
> Is there a way to do so or is it impossible for another user than root
> to manage passwords with ppolicy enabled?

As documented in slapo-ppoliccy(5) some attributes (those with: NO-USER-
MODIFICATION and USAGE directoryOperation) can not be set by normal users. For 
example, only the rootdn is currently able to unlock an account that is locked 
out.

However, subject to appropriate ACLs, non-rootdn DNs should be able to update 
other attributes related to password changes. You may want to enable acl 
debugging to see which attributes are getting attempted changes rejected.

Regards,
Buchan