Admin authorization for modifying passwords, did it change ? how to apply admin role to a user ?

[Mark-nospam <te...@debusschere.com>]

The last version I was using M17, I believe my scripts were able to bind 
with a private apps admin user and then create new users with passwords. 
I updated to M20, this operation now fails with : "Non-admin user cannot access another user's password to modify it" 
I thought there was recent discussion on this but I failed to find it in the mail 
archives and I don't see anything in changes between M17-M20 related to this. 

Regardless, I would like to resolve in correct manner going forward. 

Is it possible to create user A in partition A that can acquire Admin role for changing passwords 
for other users in partition A or partition B etc. 

Can this group be used to associate other users as admins? DN: cn=Administrators,ou=groups,ou=system 

Or, is DN: uid=admin,ou=system the only user going forward which can make passwords changes 
when the requesting user doesn't match user-password. 

Thanks, Mark. 

Re: Admin authorization for modifying passwords, did it change ? how to apply admin role to a user ?

[Emmanuel Lécharny <el...@gmail.com>]

Le 02/06/15 08:49, Kiran Ayyagari a écrit :
> On Tue, Jun 2, 2015 at 10:17 AM, Mark-nospam <te...@debusschere.com>
> wrote:
>
>> The last version I was using M17, I believe my scripts were able to bind
>> with a private apps admin user and then create new users with passwords.
>> I updated to M20, this operation now fails with : "Non-admin user cannot
>> access another user's password to modify it"
>> I thought there was recent discussion on this but I failed to find it in
>> the mail
>> archives and I don't see anything in changes between M17-M20 related to
>> this.
>>
>> Regardless, I would like to resolve in correct manner going forward.
>>
>> Is it possible to create user A in partition A that can acquire Admin role
>> for changing passwords
>> for other users in partition A or partition B etc.
>>
>> Can this group be used to associate other users as admins? DN:
>> cn=Administrators,ou=groups,ou=system
>>
>> Or, is DN: uid=admin,ou=system the only user going forward which can make
>> passwords changes
>> when the requesting user doesn't match user-password.
>>
> currently this is the only way, (we have been discussing on how to grant
> other users admin privilege, but
> this is not there in the server yet)

You can also define an ACL to allow a set of users to modify the
userPassword attributes. This is a bit convoluted, but this is the way
to go.

We can try to give you some example of configuration later (a bit busy atm).

Re: Admin authorization for modifying passwords, did it change ? how to apply admin role to a user ?

[Kiran Ayyagari <ka...@apache.org>]

On Tue, Jun 2, 2015 at 10:17 AM, Mark-nospam <te...@debusschere.com>
wrote:

> The last version I was using M17, I believe my scripts were able to bind
> with a private apps admin user and then create new users with passwords.
> I updated to M20, this operation now fails with : "Non-admin user cannot
> access another user's password to modify it"
> I thought there was recent discussion on this but I failed to find it in
> the mail
> archives and I don't see anything in changes between M17-M20 related to
> this.
>
> Regardless, I would like to resolve in correct manner going forward.
>
> Is it possible to create user A in partition A that can acquire Admin role
> for changing passwords
> for other users in partition A or partition B etc.
>
> Can this group be used to associate other users as admins? DN:
> cn=Administrators,ou=groups,ou=system
>
> Or, is DN: uid=admin,ou=system the only user going forward which can make
> passwords changes
> when the requesting user doesn't match user-password.
>
currently this is the only way, (we have been discussing on how to grant
other users admin privilege, but
this is not there in the server yet)

>
> Thanks, Mark.
>
>
>
>
>
>
>
>
>
>
>
>


-- 
Kiran Ayyagari
http://keydap.com