Hello
Is there a way to write an ACL so that userPassword could only be changed by an extended operation, and not by a simple attribute modification?
Emmanuel Dreyfus wrote:
Is there a way to write an ACL so that userPassword could only be changed by an extended operation, and not by a simple attribute modification?
I don't think it's possible (please correct me). A solution I see is to delegate password changes to an applicative agent (like pam_ldap, I think) configured to use passwd exop under an identity that has write permissions on the userPassword attribute of the users.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
On Mon, Aug 27, 2007 at 05:51:20PM +0200, Pierangelo Masarati wrote:
I don't think it's possible (please correct me). A solution I see is to delegate password changes to an applicative agent (like pam_ldap, I think) configured to use passwd exop under an identity that has write permissions on the userPassword attribute of the users.
Of course, that an ideal situation, but I'm looking for a ban on direct userPassword change because I have not found how to get the client doing the right thing (it's MacOS X's OpenDirectory)
openldap-software@openldap.org
-
Emmanuel Dreyfus -
manu@netbsd.org
-
Pierangelo Masarati