On 20 July 2013 10:52, William Brown <william@xxxxxxxxxxxxxxx> wrote: >> For now, LDAP ACL was "turned off" - every user has manage permission, > Each user will have permission on their own ldap object they bind to, to change their passwords. > Root may not be able to bind to ldap, or roots object doesn't have the acl to modify the password attr on the user's object. It is not entirely true. With ACL as above, or commonly used ACL: to userPassword by self write by * auth it is true, but users tend to forgot their passwords, and You don't have to give them write permission to yserPassword attribute. Now there need to be some other way for administrator to reset users passwords. Command "passwd" is most common, and doesn't require admin to remember user DN. > What ldap server are you using? You may consider contacting thier mailing lists for help. >[root@ldap ~]# cat /etc/openldap/ldap.conf |grep -ve "^#"|grep -ve "^$" >> Configs, logs, etc are in here: http://fpaste.org/26708/ it is openldap. thanks, I will. > Sincerely, > William Thanks for reply -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
