I'm trying to set my OpenDJ LDAP to not allow users to change their password via an LDAP browser. Currently I'm testing this on Apache Directory Studio. In OpenDJ, I've set ds-cfg-allow-user-password-changes: false, but I'm still able to use the browser to create a new password. Am I missing something? This seems to be the only property in OpenDJ's java.properties that would control this.
Asked
Active
Viewed 585 times
1 Answers
0
The configuration attribute in the default password policy ds-cfg-allow-user-password-changes controls whether a user is allowed to change his own password. My guess is that with Apache Directory Studio, you are authenticated as an Administrator who has permissions to change passwords. You can also control read-write permissions to the userPassword attribute with Access Controls. The default global ACIs are allowing a user to write the attribute only in its own entry.
Ludovic Poitou
- 4,788
- 2
- 21
- 30
-
That was it! I was logged in as an admin. Logging in as a user wouldn't allow password changes. Thanks! – jordaniac89 Jun 10 '14 at 16:57