Van Remoortere, Arnaud via 389-users wrote: > Hi there, I've created a posixAccount with a userPassword and can login > using this user over SSH, the issue is that although "Allow Users to > Change their Passwords" is selected in General Settings, I only managed > to allow a user to change their own password by writing an ACI: > > (target="ldap:///cn=jack,ou=users,dc=lab";)(targetattr="userPassword")(version > 3.0; acl "password"; allow(write) userdn="ldap:///cn=jack,ou=users,dc=lab";;) > > I'm hoping to not need an ACI for each user if there's a better way?
There is a bind type of "self" which applies to the bound user. Self-service basically. This is from the 389-ds docs on access control: # ldapmodify -D "cn=Directory Manager" -W -H ldap://server.example.com -x dn: ou=People,dc=example,dc=com changetype: modify delete: aci aci: (targetattr="userPassword") (version 3.0; acl "Allow users updating their password"; allow (write) userdn= "ldap:///self";;) rob -- _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
