Hi, 1. If you can do that I think this is a bug in ldappasswd, pwdReset used to force user to change its password *only one time*.

2. No

3. "manage" access gives "administrative privilege", while "write" does not allow it. "administrative privilege" allow modifying some attributes usually can (and should) not be modified. where the "administrative" term (e.g. entryUUID). You may find more details about that in https://tools.ietf.org/html/draft-zeilenga-ldap-relax-03

Cheers.

Le 13/05/2015 04:06, Harmandeep Kaur a écrit :

Hello folks,

I have a quick query, I'm using openldap with ppolicy. I'm using following ACL just to test things right, I came across the issue, for which I'm unable to find appropriate answers:

ACL used:

---

access to * by * manage

1. How to restrict ldappasswd command to clear the pwdReset flag to

user's entry ? 2. Can some other users (member of group) can work rootdn (bypass ppolicy like rootdn but it should apply to their account itself) ? 3. Other question is about ACL is "What's the difference between ACL "write" and "manage" access"

write =wrscdx needed to modify/rename manage =mwrscdx needed to manage

I'm not able to determine what access "manage" gives over and above "write" access. I didn't find much info at openldap.org http://openldap.org access-control section.

Thank you.

Regards,