From cef97e124cf80021b08e7944d670ce45e04cc072 Mon Sep 17 00:00:00 2001
From: Buchan Milne <buchan@mageia.org>
Date: Sat, 22 Jan 2011 09:48:10 +0000
Subject: Change ACL for non-privileged users to not work on reset model,
 instead allow registrars to change unprivileged passwords directly

---
 modules/openldap/templates/mandriva-dit-access.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'modules/openldap/templates/mandriva-dit-access.conf')

diff --git a/modules/openldap/templates/mandriva-dit-access.conf b/modules/openldap/templates/mandriva-dit-access.conf
index aac4d32e..d6a8a49c 100644
--- a/modules/openldap/templates/mandriva-dit-access.conf
+++ b/modules/openldap/templates/mandriva-dit-access.conf
@@ -22,8 +22,8 @@ access to dn.subtree="<%= dc_suffix %>"
 # Allow account registration to write userPassword of unprivileged users accounts
 access to dn.subtree="ou=People,<%= dc_suffix %>" 
 	filter="(&(objectclass=inetOrgPerson)(!(objectclass=posixAccount)))"
-	attrs=userPassword,pwdReset
-	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" +a
+	attrs=userPassword
+	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" +w
 	by * +0 break
 
 # shadowLastChange is here because it needs to be writable by the user because
-- 
cgit v1.2.1