On 6/3/19 1:16 PM, Eric Freeman wrote:
Between 389 LDAP versions 1.2.11.15-33 and 1.2.11.15-97, we're finding
that the Directory Manager account can bypass configured password
policies and set user passwords to anything. I believe this is now by
design, but is there a configuration file flag to revert to the
previous behavior where Directory Manager needed to conform to the
password policy?
Sorry there is not.
If not, how do we create a user account in 389 ldap server with rights
to check and update user password hashes, and still enforce configured
password policies?
You create a new user, and you add an ACI to the suffix to allow this
user to update passwords.
Create a user, something like this
dn: uid=password update user,ou=people,dc=example,dc=com
Add "aci" to the suffix to allow this user rights to update userpassword
ldapmodify -D "cn=directory manager" -W
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr = "userPassword") (version 3.0; acl "Allow user to
update passwords"; allow (write) (userdn = "ldap:///uid=password update
user,ou=people,dc=example,dc=com");)
That should do it.
HTH,
Mark
Please advise
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
