Am Mon, 2003-09-08 um 20.13 schrieb Martin Edenhofer:
BTW: Authenticated Users do have self write-permission on their password field in LDAP
It's wanted. Because there should be no way (IMO) for other applications to write into your LDAP. It's critical, beause some time you will get an inconsistent directory if each application is writting into your directory.
Could you explain that a little bit more? In my eyes LDAP is fully multi-user capable, as it's widely used in Lunixish environments for user authentication. I personally use it for a PAM-based LDAP authentication and addressbook management, as well as for SMTP server configuration. I am completely relying on LDAP. In other words, passwords are stored nowhere else and (nearly) parallel write should be allowed (addressbooks). If I didn't get the OpenLDAP/pam_ldap documentation completely wrong, a solution like this could be capable of serving thousands of users. This wouldn't be possible in a one-user LDAP environment, would it? Btw, why would user X want or be allowed to change the password for another user without the other user knowing this? Regards, Robert Kehl