Hi,
I have a few users in my open-ds dump that have the following attribute:
ds-privilege-name: password-reset
Does something like this exist in 389-server or is it done purely on an ACI level?
Best Regards Rainer
On Wed, 2018-08-22 at 12:41 +0200, rainer@ultra-secure.de wrote:
Hi,
I have a few users in my open-ds dump that have the following attribute:
ds-privilege-name: password-reset
Does something like this exist in 389-server or is it done purely on an ACI level?
If I recall correctly, if you have the write targetattr userPassword, you can reset someone's password. I think this is a good example where we need to document this better as password reset is a common requriement.
I've CCed on our documentation wizard who may know where this is found, or where it should be added.
Thanks!
Best Regards Rainer _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
Am 2018-08-30 00:48, schrieb William Brown:
On Wed, 2018-08-22 at 12:41 +0200, rainer@ultra-secure.de wrote:
Hi,
I have a few users in my open-ds dump that have the following attribute:
ds-privilege-name: password-reset
Does something like this exist in 389-server or is it done purely on an ACI level?
If I recall correctly, if you have the write targetattr userPassword, you can reset someone's password. I think this is a good example where we need to document this better as password reset is a common requriement.
I've CCed on our documentation wizard who may know where this is found, or where it should be added.
Hi,
thanks for the feedback.
I used "Passwd Admins" feature.
dn: cn=Passwd Admins,dc=the,dc=domain,dc=ch changetype: add objectClass: top objectClass: groupOfUniqueNames cn: PasswordAdminsGroup description: Users in this group can change passwords uniqueMember: cn=TechUser,dc=the,dc=domain,dc=ch uniqueMember: cn=reg,dc=appusers,dc=the,dc=domain,dc=ch
dn: cn=config changetype: modify replace: passwordAdminDN passwordAdminDN: cn=Passwd Admins,dc=the,dc=domain,dc=ch
These two users had the ds-privilege-name: password-reset attribute
Is that correct?
Best Regards Rainer
On 08/30/2018 12:04 PM, rainer@ultra-secure.de wrote:
Am 2018-08-30 00:48, schrieb William Brown:
On Wed, 2018-08-22 at 12:41 +0200, rainer@ultra-secure.de wrote:
Hi,
I have a few users in my open-ds dump that have the following attribute:
ds-privilege-name: password-reset
Does something like this exist in 389-server or is it done purely on an ACI level?
If I recall correctly, if you have the write targetattr userPassword, you can reset someone's password. I think this is a good example where we need to document this better as password reset is a common requriement.
I've CCed on our documentation wizard who may know where this is found, or where it should be added.
Hi,
thanks for the feedback.
I used "Passwd Admins" feature.
dn: cn=Passwd Admins,dc=the,dc=domain,dc=ch changetype: add objectClass: top objectClass: groupOfUniqueNames cn: PasswordAdminsGroup description: Users in this group can change passwords uniqueMember: cn=TechUser,dc=the,dc=domain,dc=ch uniqueMember: cn=reg,dc=appusers,dc=the,dc=domain,dc=ch
dn: cn=config changetype: modify replace: passwordAdminDN passwordAdminDN: cn=Passwd Admins,dc=the,dc=domain,dc=ch
These two users had the ds-privilege-name: password-reset attribute
Is that correct?
Correct, the password admin feature gives a user or a group (like what you did) fulll unrestricted access for setting user passwords. They can reset passwords, add prehashed passwords, and add passwords that violate the server's password policy, etc.
http://www.port389.org/docs/389ds/design/password-administrator.html
Mark
Best Regards Rainer _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject....
389-users@lists.fedoraproject.org