Hi all,
We're implementing a basic user directory with OpenLDAP and the ppolicy
attributes pwdMaxAge and pwdMinAge give use some desired functionality,
but we need the ability for managers to reset a user's password.
If we use the “rootdn” then this works, but we need to have other user
accounts designated as managers. Even if we define ACLs to give our
management group “manage” access we can still get the following from
ldappasswd:
Result: Constraint violation (19)
Additional info: Password is too young to change
Is there any way to designate a group of users as "managers" such that
pwdMinAge is not applied?
These are the ACLs we've tried without success to give the “UserAdmin”
group the rights:
cat <<__EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to attrs=userPassword
by self =xw
by group.exact="cn=UserAdmin,${LDAP_SERVER_BASE}" manage
by anonymous auth
by * none
olcAccess: to dn.base="ou=Users,${LDAP_SERVER_BASE}"
by group.exact="cn=UserAdmin,${LDAP_SERVER_BASE}" manage
by * read
olcAccess: to dn.children="ou=Users,${LDAP_SERVER_BASE}"
filter=(objectClass=posixAccount)
by group.exact="cn=UserAdmin,${LDAP_SERVER_BASE}" write
by * read
olcAccess: to dn.base="cn=UserAdmin,${LDAP_SERVER_BASE}" attrs=member
by group.exact="cn=UserAdmin,${LDAP_SERVER_BASE}" write
by * read
olcAccess: to *
by * read
-
__EOF
Thanks
Phil
