Revision

877

Author

buchan

Date

2011-01-22 10:48:10 +0100 (Sat, 22 Jan 2011)

Log Message

Change ACL for non-privileged users to not work on reset model, instead allow
registrars to change unprivileged passwords directly

Modified Paths

• puppet/modules/openldap/templates/mandriva-dit-access.conf

Modified: puppet/modules/openldap/templates/mandriva-dit-access.conf
===================================================================
--- puppet/modules/openldap/templates/mandriva-dit-access.conf	2011-01-21 14:53:38 UTC (rev 876)
+++ puppet/modules/openldap/templates/mandriva-dit-access.conf	2011-01-22 09:48:10 UTC (rev 877)
@@ -22,8 +22,8 @@
 # Allow account registration to write userPassword of unprivileged users accounts
 access to dn.subtree="ou=People,<%= dc_suffix %>" 
 	filter="(&(objectclass=inetOrgPerson)(!(objectclass=posixAccount)))"
-	attrs=userPassword,pwdReset
-	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" +a
+	attrs=userPassword
+	by group/groupOfNames/member.exact="cn=registrars,ou=system groups,<%= dc_suffix %>" +w
 	by * +0 break
 
 # shadowLastChange is here because it needs to be writable by the user because