hendersj Acclaimed Contributor.
Acclaimed Contributor.
363 views

Re: Minimum Rights to Change User Password

On Wed, 25 Jul 2012 19:16:01 +0000, clevelandh wrote:

> I am trying to determine how to assign minimum rights to a user account
> that can be used by a Java application to change other user account
> passwords.


W rights to the password management pseudo-attribute will do the trick
IIRC.

Jim



--
Jim Henderson, CNA6, CDE, CNI, LPIC-1, CLA10, CLP10
Novell Knowledge Partner
Labels (1)
0 Likes
5 Replies
hendersj Acclaimed Contributor.
Acclaimed Contributor.

Re: Minimum Rights to Change User Password

On Wed, 25 Jul 2012 19:46:02 +0000, clevelandh wrote:

> Thanks Jim, but again...being a novice...how would I do that via
> iManager?


For the individual object (and if you want to do a subtree, you pick the
parent container):

https://www.netiq.com/documentation/imanager27/imanager_admin_275/data/
bob1yft.html covers navigation in iManager.

Modify the access control list (ACL) and you'll see that attribute in the
list. Modify the rights so the object (or group) has W rights to the
password management attribute.

Save the changes and you should be set to go.

Jim
--
Jim Henderson, CNA6, CDE, CNI, LPIC-1, CLA10, CLP10
Novell Knowledge Partner
0 Likes
Knowledge Partner
Knowledge Partner

Re: Minimum Rights to Change User Password

On 7/25/2012 6:38 PM, Jim Henderson wrote:
> On Wed, 25 Jul 2012 19:46:02 +0000, clevelandh wrote:
>
>> Thanks Jim, but again...being a novice...how would I do that via
>> iManager?

>
> For the individual object (and if you want to do a subtree, you pick the
> parent container):
>
> https://www.netiq.com/documentation/imanager27/imanager_admin_275/data/
> bob1yft.html covers navigation in iManager.
>
> Modify the access control list (ACL) and you'll see that attribute in the
> list. Modify the rights so the object (or group) has W rights to the
> password management attribute.


More simply, use the Rights tab, modify trustees, select the object who
you wish to grant permission over. (users.acme for example).

Then you add a trustee (admin.acme) object as trustee over this object
and then the trustees themselves are shown on another page (I forget
what the button is labelled right now, but it is obvious).

Then you grant Password Management from the list, and select just the W,
and probably I for inheritable.


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Minimum Rights to Change User Password


We are using the Password Management ACL, and have had it working in our
production environment for many months - a driver reads the password
attribute on a user. The same driver exists in our development
environment, but it's not succeeding in reading user passwords. (I
turned on tracing for the related rules. When I run a user with a
confirmed password value through the driver in development, the password
value is returned as "".)

I checked the ACLs on the parent container (for users) in both
development and production. Both have compare/read/write privileges on
the passwordManagement pseudo-attribute.

ACL: 7#subtree#cn=PWQAdmin,ou=IDM,o=services#passwordManagement

Can anyone suggest other ways I can troubleshoot the problem? Thanks for
your help!


--
mmmonfor
------------------------------------------------------------------------
mmmonfor's Profile: https://forums.netiq.com/member.php?userid=2460
View this thread: https://forums.netiq.com/showthread.php?t=2165

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Minimum Rights to Change User Password

To me this sounds like a new issue.... not asking what rights are needed
but asking instead what to do from here. I'd recommend starting a new
thread to handle that issue. In the meantime, are both environments using
EXACTLY the same version of eDirectory? Both using the exact same
Universal Password (UP) policy (not just the name, but the policy
definition of course) applied to the user(s) in question? There was a bug
last year where the ability to do things with passwords thanks to
'Password Management' was broken; I believe all current versions of eDir
are fixed (8.8 SP7 Patch 2 is, from my memory, current).

Good luck.
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: Minimum Rights to Change User Password


MOVED TO A NEW THREAD: http://tinyurl.com/b64n2uv


--
mmmonfor
------------------------------------------------------------------------
mmmonfor's Profile: https://forums.netiq.com/member.php?userid=2460
View this thread: https://forums.netiq.com/showthread.php?t=2165

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.