[389-users] Re: user password change issue

[Mark Reynolds via 389-users]

On 7/7/25 4:05 PM, Van Remoortere, Arnaud wrote:
Hi, I appreciate the help, no amount of using search engines found me 
that, what does the "Allow Users to Change their Passwords" in General 
Settings do?

It allows users to change their passwords (if they have authorization to 
do so).  So if an ACI allows someone to change their own entry, you 
could still block them from changing their password by setting the value 
to "off".  Basically this forces all password updates to go through some 
other Administrator/account.


Mark


------------------------------------------------------------------------
*From:* Rob Crittenden via 389-users <389-users@lists.fedoraproject.org>
*Sent:* Monday, July 7, 2025 7:03 PM
*To:* Mark Reynolds <marey...@redhat.com>; General discussion list for 
the 389 Directory server project. <389-users@lists.fedoraproject.org>
*Cc:* Van Remoortere, Arnaud <avanr...@akamai.com>; Rob Crittenden 
<rcrit...@redhat.com>
*Subject:* [389-users] Re: user password change issue
!-------------------------------------------------------------------|
  This Message Is From an External Sender
  This message came from outside your organization.
|-------------------------------------------------------------------!

Mark Reynolds wrote:
>
> On 7/7/25 1:51 PM, Rob Crittenden via 389-users wrote:
>> Van Remoortere, Arnaud via 389-users wrote:
>>> Hi there, I've created a posixAccount with a userPassword and can 
login
>>> using this user over SSH, the issue is that although "Allow Users to
>>> Change their Passwords" is selected in General Settings, I only 
managed
>>> to allow a user to change their own password by writing an ACI:
>>>
>>> 
(target="ldap:///cn=jack,ou=users,dc=lab";)(targetattr="userPassword")(version
>>>
>>> 3.0; acl "password"; allow(write)
>>> userdn="ldap:///cn=jack,ou=users,dc=lab";;)
>>>
>>> I'm hoping to not need an ACI for each user if there's a better way?
>> There is a bind type of "self" which applies to the bound user.
>> Self-service basically.
>>
>> This is from the 389-ds docs on access control:
>>
>> # ldapmodify -D "cn=Directory Manager" -W -H 
ldap://server.example.com -x
>>
>> dn: ou=People,dc=example,dc=com
>> changetype: modify
>> delete: aci
> I think you mean "add", not "delete" :-)  This this a copy/paste from
> the docs?  If so, can you send me the link?

It was PEBKAC. The docs show both how to add the new ACI and how to
delete it. I flipped back and forth and copied the wrong one.

https://urldefense.com/v3/__https://docs.redhat.com/en/documentation/red_hat_directory_server/12/html-single/managing_access_control/index*con_how-directory-server-handles-acis-in-a-replication-topology_assembly_managing-access-control-instructions__;Iw!!GjvTz_vk!QY4YZHQZMvzIpVaqnAnYzm7TOmi7pGPD-JmrDAzEDJkhiyXD5QMFWE0tzOdDNxQXq-YAwHFy9ly4-jIq8OmOG6Fiq_DA$ 


rob

>> aci: (targetattr="userPassword") (version 3.0; acl "Allow users
>>    updating their password"; allow (write) userdn= "ldap:///self";;)
>>
>> rob
>>

--
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://urldefense.com/v3/__https://docs.fedoraproject.org/en-US/project/code-of-conduct/__;!!GjvTz_vk!QY4YZHQZMvzIpVaqnAnYzm7TOmi7pGPD-JmrDAzEDJkhiyXD5QMFWE0tzOdDNxQXq-YAwHFy9ly4-jIq8OmOG1GrIoWV$ 

List Guidelines: 
https://urldefense.com/v3/__https://fedoraproject.org/wiki/Mailing_list_guidelines__;!!GjvTz_vk!QY4YZHQZMvzIpVaqnAnYzm7TOmi7pGPD-JmrDAzEDJkhiyXD5QMFWE0tzOdDNxQXq-YAwHFy9ly4-jIq8OmOG-wkhGTP$ 

List Archives: 
https://urldefense.com/v3/__https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org__;!!GjvTz_vk!QY4YZHQZMvzIpVaqnAnYzm7TOmi7pGPD-JmrDAzEDJkhiyXD5QMFWE0tzOdDNxQXq-YAwHFy9ly4-jIq8OmOG_LS2SZX$ 

Do not reply to spam, report it: 
https://urldefense.com/v3/__https://pagure.io/fedora-infrastructure/new_issue__;!!GjvTz_vk!QY4YZHQZMvzIpVaqnAnYzm7TOmi7pGPD-JmrDAzEDJkhiyXD5QMFWE0tzOdDNxQXq-YAwHFy9ly4-jIq8OmOG3TQ31Js$ 


--
Identity Management Development Team
-- 
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue