Monday, March 18, 2024

[389-users] Re: Directory Administrators vs. Password Administrators

Hi,

I assume your question is about privileges 'Directory manager' vs
'Password Administrators'.

They are both allowed to bypass the password policy (global or local)
and set any value they want. While 'Directory manager' does not need
specific ACI, Administrators belonging to 'passwordAdminDN' group do
need ACIs granting read/write on password attributes [1]

[1] https://www.port389.org/docs/389ds/design/password-administrator.html

best regards
thierry

On 3/16/24 00:04, tdarby@arizona.edu wrote:
> I see tn the docs that you can make a Password Administrators group, like so:
>
> dn: cn=config
> changetype: modify
> replace: passwordAdminDN
> passwordAdminDN: cn=Passwd Admins,ou=groups,dc=example,dc=com
>
> I'm curious though, what privileges does a Directory Administrator have over and above one of these Password Administrators.
> --
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
> Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

No comments:

Post a Comment