On Mon, 2016-02-22 at 14:25 -0700, Janet Houser wrote: > Hi Rob, > > I appreciate the comment, and that would be a concern, but user's don't > have login access to the client system. The > php script is written to allow a friendly remote interface for the > nonlinux user to be able to change their password. There shouldn't be the need to read the password field before you change it. You should just need to bind, then issue the password change extended operation. If *must* read the userPassword field, I strong advise that you do not make this for anonymous. You should create a service account (simpleSecurityObject), and give only that dn an aci with read access to the hash. I still *strongly* advise against this, as you should not need to your application to behave like this to change a password. -- Sincerely, William Brown Software Engineer Red Hat, Brisbane
Attachment:
signature.asc
Description: This is a digitally signed message part
-- 389 users mailing list 389-users@%(host_name)s http://lists.fedoraproject.org/admin/lists/389-users@xxxxxxxxxxxxxxxxxxxxxxx
