On 7/7/25 1:51 PM, Rob Crittenden via 389-users wrote:
> Van Remoortere, Arnaud via 389-users wrote:
>> Hi there, I've created a posixAccount with a userPassword and can login
>> using this user over SSH, the issue is that although "Allow Users to
>> Change their Passwords" is selected in General Settings, I only managed
>> to allow a user to change their own password by writing an ACI:
>>
>> (target="ldap:///cn=jack,ou=users,dc=lab")(targetattr="userPassword")(version
>> 3.0; acl "password"; allow(write) userdn="ldap:///cn=jack,ou=users,dc=lab";)
>>
>> I'm hoping to not need an ACI for each user if there's a better way?
> There is a bind type of "self" which applies to the bound user.
> Self-service basically.
>
> This is from the 389-ds docs on access control:
>
> # ldapmodify -D "cn=Directory Manager" -W -H ldap://server.example.com -x
>
> dn: ou=People,dc=example,dc=com
> changetype: modify
> delete: aci
I think you mean "add", not "delete" :-) This this a copy/paste from
the docs? If so, can you send me the link?
> aci: (targetattr="userPassword") (version 3.0; acl "Allow users
> updating their password"; allow (write) userdn= "ldap:///self";)
>
> rob
>
--
Identity Management Development Team
--
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
No comments:
Post a Comment