masarati@aero.polimi.it wrote:
The patch is the result of my reading in 5 minutes a single portion of a spec I read in detail years ago, so my interpretation could not be the most correct.
But your interpretation makes sense: E.g. system accounts most times do not need to change their own password. And for security reasons you might want to avoid that. Think of a the case where the password of a more exposed system is known by an attacker (which is likely a very bad case anyway). But at least the attacker should not be able to disable this service by setting a new password.
Yes, this can be done with ACLs. But you might already have a password policy assigned to this special system accounts because you don't want the system accounts' password to expire. So adding an extra ACL is more work especially if system accounts are spread across a more complicated DIT.
Ciao, Michael.