12 Oct
2017
12 Oct
'17
1:41 p.m.
Hi Michael,
On Thu, Oct 12, 2017 at 10:34:09PM +0200, Michael Ströder wrote:
Ervin Hegedüs wrote:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write
Additional side notes regarding this ACL above (which is often used in tutorials):
- You should use slapo-ppolicy instead of deprecated 'shadowLastChange'
attribute to enforce password expiry.
thanks - I'm relative "new" (recurrent after many years) in OpenLDAP. Most concept is very new for me, especially this one above (slapo-ppolicy).
I have to read the related documentation.
- With this ACL the user can extend the password validity period
himself which renders password expiry ineffective.
good catch, I'll review the rules again tomorrow.
Thanks again!
a.