On 7/7/25 1:51 PM, Rob Crittenden via 389-users wrote:
Van Remoortere, Arnaud via 389-users wrote:
Hi there, I've created a posixAccount with a userPassword and can login
using this user over SSH, the issue is that although "Allow Users to
Change their Passwords" is selected in General Settings, I only managed
to allow a user to change their own password by writing an ACI:
(target="ldap:///cn=jack,ou=users,dc=lab";)(targetattr="userPassword")(version
3.0; acl "password"; allow(write) userdn="ldap:///cn=jack,ou=users,dc=lab";;)
I'm hoping to not need an ACI for each user if there's a better way?
There is a bind type of "self" which applies to the bound user.
Self-service basically.
This is from the 389-ds docs on access control:
# ldapmodify -D "cn=Directory Manager" -W -H ldap://server.example.com -x
dn: ou=People,dc=example,dc=com
changetype: modify
delete: aci
I think you mean "add", not "delete" :-) This this a copy/paste from
the docs? If so, can you send me the link?
aci: (targetattr="userPassword") (version 3.0; acl "Allow users
updating their password"; allow (write) userdn= "ldap:///self";;)
rob
--
Identity Management Development Team
--
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
