[389-users] Re: user password change issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


On 7/7/25 4:05 PM, Van Remoortere, Arnaud wrote:
Hi, I appreciate the help, no amount of using search engines found me that, what does the "Allow Users to Change their Passwords" in General Settings do?

It allows users to change their passwords (if they have authorization to do so).  So if an ACI allows someone to change their own entry, you could still block them from changing their password by setting the value to "off".  Basically this forces all password updates to go through some other Administrator/account.


Mark


From: Rob Crittenden via 389-users <389-users@xxxxxxxxxxxxxxxxxxxxxxx>
Sent: Monday, July 7, 2025 7:03 PM
To: Mark Reynolds <mareynol@xxxxxxxxxx>; General discussion list for the 389 Directory server project. <389-users@xxxxxxxxxxxxxxxxxxxxxxx>
Cc: Van Remoortere, Arnaud <avanremo@xxxxxxxxxx>; Rob Crittenden <rcritten@xxxxxxxxxx>
Subject: [389-users] Re: user password change issue
 
!-------------------------------------------------------------------|
  This Message Is From an External Sender
  This message came from outside your organization.
|-------------------------------------------------------------------!

Mark Reynolds wrote:
>
> On 7/7/25 1:51 PM, Rob Crittenden via 389-users wrote:
>> Van Remoortere, Arnaud via 389-users wrote:
>>> Hi there, I've created a posixAccount with a userPassword and can login
>>> using this user over SSH, the issue is that although "Allow Users to
>>> Change their Passwords" is selected in General Settings, I only managed
>>> to allow a user to change their own password by writing an ACI:
>>>
>>> (target="ldap:///cn=jack,ou=users,dc=lab")(targetattr="userPassword")(version
>>>
>>> 3.0; acl "password"; allow(write)
>>> userdn="ldap:///cn=jack,ou=users,dc=lab";)
>>>
>>> I'm hoping to not need an ACI for each user if there's a better way?
>> There is a bind type of "self" which applies to the bound user.
>> Self-service basically.
>>
>> This is from the 389-ds docs on access control:
>>
>> # ldapmodify -D "cn=Directory Manager" -W -H ldap://server.example.com -x
>>
>> dn: ou=People,dc=example,dc=com
>> changetype: modify
>> delete: aci
> I think you mean "add", not "delete" :-)  This this a copy/paste from
> the docs?  If so, can you send me the link?

It was PEBKAC. The docs show both how to add the new ACI and how to
delete it. I flipped back and forth and copied the wrong one.

https://urldefense.com/v3/__https://docs.redhat.com/en/documentation/red_hat_directory_server/12/html-single/managing_access_control/index*con_how-directory-server-handles-acis-in-a-replication-topology_assembly_managing-access-control-instructions__;Iw!!GjvTz_vk!QY4YZHQZMvzIpVaqnAnYzm7TOmi7pGPD-JmrDAzEDJkhiyXD5QMFWE0tzOdDNxQXq-YAwHFy9ly4-jIq8OmOG6Fiq_DA$

rob

>> aci: (targetattr="userPassword") (version 3.0; acl "Allow users
>>    updating their password"; allow (write) userdn= "ldap:///self";)
>>
>> rob
>>

--
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://urldefense.com/v3/__https://docs.fedoraproject.org/en-US/project/code-of-conduct/__;!!GjvTz_vk!QY4YZHQZMvzIpVaqnAnYzm7TOmi7pGPD-JmrDAzEDJkhiyXD5QMFWE0tzOdDNxQXq-YAwHFy9ly4-jIq8OmOG1GrIoWV$
List Guidelines: https://urldefense.com/v3/__https://fedoraproject.org/wiki/Mailing_list_guidelines__;!!GjvTz_vk!QY4YZHQZMvzIpVaqnAnYzm7TOmi7pGPD-JmrDAzEDJkhiyXD5QMFWE0tzOdDNxQXq-YAwHFy9ly4-jIq8OmOG-wkhGTP$
List Archives: https://urldefense.com/v3/__https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org__;!!GjvTz_vk!QY4YZHQZMvzIpVaqnAnYzm7TOmi7pGPD-JmrDAzEDJkhiyXD5QMFWE0tzOdDNxQXq-YAwHFy9ly4-jIq8OmOG_LS2SZX$
Do not reply to spam, report it: https://urldefense.com/v3/__https://pagure.io/fedora-infrastructure/new_issue__;!!GjvTz_vk!QY4YZHQZMvzIpVaqnAnYzm7TOmi7pGPD-JmrDAzEDJkhiyXD5QMFWE0tzOdDNxQXq-YAwHFy9ly4-jIq8OmOG3TQ31Js$ 
-- 
Identity Management Development Team
-- 
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux