Mark Reynolds wrote: > > On 7/7/25 1:51 PM, Rob Crittenden via 389-users wrote: >> Van Remoortere, Arnaud via 389-users wrote: >>> Hi there, I've created a posixAccount with a userPassword and can login >>> using this user over SSH, the issue is that although "Allow Users to >>> Change their Passwords" is selected in General Settings, I only managed >>> to allow a user to change their own password by writing an ACI: >>> >>> (target="ldap:///cn=jack,ou=users,dc=lab";)(targetattr="userPassword")(version >>> >>> 3.0; acl "password"; allow(write) >>> userdn="ldap:///cn=jack,ou=users,dc=lab";;) >>> >>> I'm hoping to not need an ACI for each user if there's a better way? >> There is a bind type of "self" which applies to the bound user. >> Self-service basically. >> >> This is from the 389-ds docs on access control: >> >> # ldapmodify -D "cn=Directory Manager" -W -H ldap://server.example.com -x >> >> dn: ou=People,dc=example,dc=com >> changetype: modify >> delete: aci > I think you mean "add", not "delete" :-) This this a copy/paste from > the docs? If so, can you send me the link?
It was PEBKAC. The docs show both how to add the new ACI and how to delete it. I flipped back and forth and copied the wrong one. https://docs.redhat.com/en/documentation/red_hat_directory_server/12/html-single/managing_access_control/index#con_how-directory-server-handles-acis-in-a-replication-topology_assembly_managing-access-control-instructions rob >> aci: (targetattr="userPassword") (version 3.0; acl "Allow users >> updating their password"; allow (write) userdn= "ldap:///self";;) >> >> rob >> -- _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
