content/apacheds/advanced-ug/4.2.7.2-allow-self-password-modify.mdtext - directory-site - Git at Google

 Title: 4.2.7.2 - Allow Self Password Modify
 NavPrev: 4.2.7.1-enable-authenticated-users-to-browse-and-read-entries.html
 NavPrevText: 4.2.7.1 - Enable Authenticated Users to Browse and Read Entries
 NavUp: 4.2.7-using-acis-trail.html
 NavUpText: 4.2.7 Using ACIs trail
 NavNext: 4.2.7.3-.html
 NavNextText: 4.2.7.3 -
 Notice: Licensed to the Apache Software Foundation (ASF) under one
     or more contributor license agreements.  See the NOTICE file
     distributed with this work for additional information
     regarding copyright ownership.  The ASF licenses this file
     to you under the Apache License, Version 2.0 (the
     "License"); you may not use this file except in compliance
     with the License.  You may obtain a copy of the License at
     .
     http://www.apache.org/licenses/LICENSE-2.0
     .
     Unless required by applicable law or agreed to in writing,
     software distributed under the License is distributed on an
     "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
     KIND, either express or implied.  See the License for the
     specific language governing permissions and limitations
     under the License.

 # 4.2.7.2 - Allow Self Password Modify

 We will  now configure the system to allow anyone to modify his/her own password :

     :::text
     {
       identificationTag "allowSelfAccessAndModification",
       precedence 14,
       authenticationLevel none,
       itemOrUserFirst userFirst:
       {
         userClasses { thisEntry },
         userPermissions
         {
           { protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse, grantRead } },
           { protectedItems {allAttributeValues {userPassword}}, grantsAndDenials { grantAdd, grantRemove } }
         }
       }
     }

 ## Commentary

 Note that two different user permissions are used to accurately specify self access and self modification of the **userPassword** attribute within the entry.  So with the first userPermission of this ACI a user would be able to read all attributes and values within his/her entry.  They also have the ability to modify the entry but this is moot since they cannot add, remove or replace any attributes within their entry.  The second user permission completes the picture by granting add and remove permissions to all values of userPassword.  This means the user can replace the password.

 <DIV class="warning" markdown="1">
 **grantAdd + grantRemove = grantReplace**
 Modify operations either add, remove or replace attributes and their values in LDAP.  X.500 seems to have overlooked the replace capability.  Hence there is no such thing as a *grantReplace* permission.  However grantAdd and grantDelete on an attribute and its values are both required for a replace operation to take place.
 </DIV>
	Title: 4.2.7.2 - Allow Self Password Modify
	NavPrev: 4.2.7.1-enable-authenticated-users-to-browse-and-read-entries.html
	NavPrevText: 4.2.7.1 - Enable Authenticated Users to Browse and Read Entries
	NavUp: 4.2.7-using-acis-trail.html
	NavUpText: 4.2.7 Using ACIs trail
	NavNext: 4.2.7.3-.html
	NavNextText: 4.2.7.3 -
	Notice: Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements. See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership. The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License. You may obtain a copy of the License at
	.
	http://www.apache.org/licenses/LICENSE-2.0
	.
	Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied. See the License for the
	specific language governing permissions and limitations
	under the License.

	# 4.2.7.2 - Allow Self Password Modify

	We will now configure the system to allow anyone to modify his/her own password :

	:::text
	{
	identificationTag "allowSelfAccessAndModification",
	precedence 14,
	authenticationLevel none,
	itemOrUserFirst userFirst:
	{
	userClasses { thisEntry },
	userPermissions
	{
	{ protectedItems {entry}, grantsAndDenials { grantModify, grantBrowse, grantRead } },
	{ protectedItems {allAttributeValues {userPassword}}, grantsAndDenials { grantAdd, grantRemove } }
	}
	}
	}

	## Commentary

	Note that two different user permissions are used to accurately specify self access and self modification of the userPassword attribute within the entry. So with the first userPermission of this ACI a user would be able to read all attributes and values within his/her entry. They also have the ability to modify the entry but this is moot since they cannot add, remove or replace any attributes within their entry. The second user permission completes the picture by granting add and remove permissions to all values of userPassword. This means the user can replace the password.

	<DIV class="warning" markdown="1">
	grantAdd + grantRemove = grantReplace
	Modify operations either add, remove or replace attributes and their values in LDAP. X.500 seems to have overlooked the replace capability. Hence there is no such thing as a grantReplace permission. However grantAdd and grantDelete on an attribute and its values are both required for a replace operation to take place.
	</DIV>